Title: PCSR – Sub-chapter 15.2 – PSA for internal and...
Transcript of Title: PCSR – Sub-chapter 15.2 – PSA for internal and...
UNCLASSIFIED
Title: PCSR – Sub-chapter 15.2 – PSA for internal and external hazards
UKEPR-0002-152 Issue 05
Total number of pages: 98 Page No.: I / IV
Chapter Pilot: F. GODEFROY
Name/Initials
Date 31-10-2012
Approved for EDF by: A. MARECHAL Approved for AREVA by: G. CRAIG
Name/Initials Date 06-11-2012 Name/Initials
Date 05-11-2012
UNCLASSIFIED
REVISION HISTORY
Issue Description Date
00 First issue for INSA review 08/02/08
01 Integration of technical, co-applicant and INSA review comments 29-04-08
02 PCSR June 2009 update:
- Clarification of text - Inclusion of references - Inclusion of preventative maintenance in the base line PSA model - Change in reliability data - Update of the aircraft crash analysis (section 2.3)
26-06-09
03 Removal of RESTRICTED marking and RESTRICTED information, and addition of CCI marking.
18-06-2010
04 Consolidated Step 4 PCSR update:
- Minor typographical changes
- Clarification of text (section 1.5, 1.6 and 2.3)
- Inclusion of references (section 1.3 and 1.5)
- Update of results according to PSA update
30-03-2011
Continued on next page
Text within this document that is enclosed within curly brackets “{…}” is AREVA or EDF Commercially Confidential Information and has been removed.
UNCLASSIFIED
Title: PCSR – Sub-chapter 15.2 – PSA for internal and external hazards
UKEPR-0002-152 Issue 05 Page No.:
II / IV
UNCLASSIFIED
REVISION HISTORY (Cont’d)
Issue Description Date
05 Consolidated PCSR update: - References listed under each numbered section or sub-section heading
numbered [Ref-1], [Ref-2], [Ref-3], etc - Minor editorial changes - Clarification of text (section 1.5.3 and 1.6.1)
06-11-2012
UNCLASSIFIED
Title: PCSR – Sub-chapter 15.2 – PSA for internal and external hazards
UKEPR-0002-152 Issue 05 Page No.:
III / IV
UNCLASSIFIED
Copyright © 2012
AREVA NP & EDF All Rights Reserved
This document has been prepared by or on behalf of AREVA NP and EDF SA in connection with their request for generic design assessment of the EPRTM design by the UK nuclear regulatory authorities. This document is the property of AREVA NP and EDF SA. Although due care has been taken in compiling the content of this document, neither AREVA NP, EDF SA nor any of their respective affiliates accept any reliability in respect to any errors, omissions or inaccuracies contained or referred to in it. All intellectual property rights in the content of this document are owned by AREVA NP, EDF SA, their respective affiliates and their respective licensors. You are permitted to download and print content from this document solely for your own internal purposes and/or personal use. The document content must not be copied or reproduced, used or otherwise dealt with for any other reason. You are not entitled to modify or redistribute the content of this document without the express written permission of AREVA NP and EDF SA. This document and any copies that have been made of it must be returned to AREVA NP or EDF SA on their request. Trade marks, logos and brand names used in this document are owned by AREVA NP, EDF SA, their respective affiliates or other licensors. No rights are granted to use any of them without the prior written permission of the owner.
Trade Mark EPRTM is an AREVA Trade Mark.
For information address:
AREVA NP SAS
Tour AREVA 92084 Paris La Défense Cedex
France
EDF Division Ingénierie Nucléaire
Centre National d'Equipement Nucléaire 165-173, avenue Pierre Brossolette
BP900 92542 Montrouge
France
UNCLASSIFIED
Title: PCSR – Sub-chapter 15.2 – PSA for internal and external hazards
UKEPR-0002-152 Issue 05 Page No.:
IV / IV
UNCLASSIFIED
TABLE OF CONTENTS
1. INTERNAL HAZARDS
1.1. PIPE LEAKS AND BREAKS - FAILURES OF VESSELS, TANKS, PUMPS AND VALVES
1.2. MISSILES
1.3. DROPPED LOADS
1.4. INTERNAL EXPLOSIONS
1.5. FIRE
1.6. FLOODING
2. EXTERNAL HAZARDS ANALYSIS
2.1. SCREENING ANALYSIS
2.2. EARTHQUAKE
2.3. AIRCRAFT CRASH
2.4. EXTREME WEATHER CONDITIONS
2.5. BIOLOGICAL CLOGGING OF WATER INTAKES
3. LOSS OF ULTIMATE HEAT SINK – LUHS
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 1 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
SUB-CHAPTER 15.2 – PSA FOR INTERNAL AND EXTERNAL HAZARDS
This sub-chapter presents the results of an initial study to analyse the frequency of core damage associated with internal and external hazards for the UK EPR.
The identification of the set of hazards which are analysed is presented in section 1.2.3.5 of Sub-chapter 3.1, The analysis of internal hazards covers all potential hazards and quantifies the risk associated with fire and flooding hazards For external hazards, analysis is applied to a generic UK site (coastal or estuary) using the data presented in Chapter 2. The list of external hazards is reduced by a screening analysis
Procedures to assess the hazard risk vary according to the hazard studied: each hazard is considered in a separate section of this sub-chapter.
The results are summarised in Sub-chapter 15.7 in terms of core damage frequency (per reactor per year), for both internal fire and flooding, and the ‘screened in’ external hazards.
An assessment of the core damage frequency associated with the loss of ultimate heat sink (total loss of the water intakes) is also presented here.
1. INTERNAL HAZARDS
The internal hazards considered are those identified in Sub-chapter 13.2, namely:
• pipe leaks and breaks,
• failures of vessels, tanks, pumps and valves,
• missiles,
• dropped loads,
• internal explosions,
• fire,
• internal flooding.
1.1. PIPE LEAKS AND BREAKS - FAILURES OF VESSELS, TANKS, PUMPS AND VALVES
The consequences of breaks in pipes, tanks, pumps and valves considered in the hazards PSA are flooding (via spraying or submersion) and moisture release. The risks are dealt with as part of the analysis of risk associated with internal flooding.
The induced consequences of missiles resulting from such breaks and failures (mechanical damage to other components) are addressed in sub-section 1.2 of this sub-chapter.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 2 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
1.2. MISSILES
The missile hazard is treated by a qualitative study on the basis of the corresponding deterministic analysis, as described in section 4 (“Protection against Missiles”) of Sub-chapter 13.2, “Protection against Internal Hazards”. Specific information about buildings is obtained from Sub-chapter 1.2, “General description of the unit”.
1.2.1. General aspects
In the conception and design of nuclear power plants, consideration must be given both to missiles generated inside the containment, structures or compartments containing safety equipment outside containment, and to externally generated missiles.
Due to their importance to plant safety, missile protection measures are taken for the following buildings:
• Reactor building, including the internal structures,
• Safeguard buildings,
• Fuel building,
• Diesel generator buildings,
• Pumping station.
The principal approach taken for protection against internally generated missiles is spatial separation of the different F1 system trains into different building divisions. This includes the associated auxiliary systems such as the power and fluid supply systems. The divisions are structurally separated by concrete partition walls which prevent internally generated missiles from penetrating into other divisions. Damage within one division is permissible from a safety point of view, as the system is designed to be able to continue to operate safely with the loss of one train.
In addition to the partition walls between the divisions, further concrete structures are provided within the individual divisions, e.g. partition walls between the individual reactor coolant loops in the containment, where appropriate, and a missile protection cylinder in the containment. In addition to the measures taken inside the containment to protect safety equipment from the effects of missiles, it must be ensured that equipment inside the containment which contains radioactive material, and the containment itself, are not damaged. This is achieved primarily by providing partition walls between the individual reactor coolant system loops, by the arrangement of the reactor coolant system within the missile protection zone or by the arrangement of specific valve and steam generator compartments.
Based on the concept of defence in depth, the multiple structural measures described above ensure overall protection against missiles. In addition, the probability of internally generated missiles is reduced by the consistent application of safety oriented design and engineering principles. For example, the use of preventive measures such as over-speed trip protection devices, equipment restraints, and valve stem threads designed to securely retain the valve in the event of mechanical failure.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 3 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
In addition, the high level of quality assurance applied during the design, manufacture, installation, inspection pre-service and in-service, in accordance with the relevant codes and standards, and the regular maintenance regime, further reduce the probability of missile generation.
The multiple measures described above ensure that the generation of missiles and the occurrence of unacceptable consequences of missile effects are so improbable that detailed analyses of each individual missile source are not necessary. However, worst case scenarios are analysed, considering certain representative internal missiles.
In this context only valves in high energy systems, and the control rod drive mechanism and its housing, are considered as potential missile sources. The valves considered include the pressuriser safety valves, the RCV [CVCS] isolation valves and the isolation valves of the RIS [SIS].
Consequently, no systematic functional analyses have been performed for missile protection: however it is confirmed that layout provisions (thickness of walls, slabs working as barriers) are sufficient to protect against the chosen representative missiles.
1.2.2. Selection and Description of Missiles
There are two general sources of potential missiles:
• failure of rotating equipment,
• failure of pressurised components.
For the first missile source Turbine missiles and Reactor Coolant Pump flywheel can be considered as representative.
Concerning turbine missiles, the consequences of such missiles are reduced by turbine placement and orientation.
The location of safety equipment within the initial low pressure turbine missile ejection zone (±25° to the normal of the turbine axis) is generally avoided. There are no safety related buildings and no safety equipment in the zone of vulnerability for turbine missile impact.
Moreover, catastrophic failure of a turbine is expected to be a very rare event, because it will in general require coincident occurrence of:
• House load mode operation of the plant
• Failure of the turbine control system
• Failure of the turbine overspeed protection
Due to the site specific nature of the turbine missile risk, it is excluded from GDA and will be considered in the site licensing phase of the UK EPR.
The second missile source considered is represented by a group of valves, (chosen to span the range of system pressure and temperature as well as valve size) and by a control rod drive mechanism and its housing.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 4 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
1.2.2.1. Reactor Coolant Pump – Flywheel
The Reactor Coolant Pump motor is equipped with a flywheel and an anti-reverse rotation device on top of the motor.
As described in section 1 of Sub-chapter 5.4, the flywheel consists of two thick plates bolted together. It is slightly shrink-fitted onto the shaft and three special keys ensure torque transmission.
The flywheel is made from 20 NCD 14.7 steel, selected for its high toughness properties. This steel is made by an electric furnace melting process, aluminium killed and vacuum degassed (this process minimises flaws in the material and improves its fracture toughness properties).
The following measures are foreseen to minimise the probability of failure of the Reactor Coolant Pump-flywheel:
• The motor of the reactor coolant pump (including the flywheel) is tested at an overspeed of 25% of normal speed.
• 100% ultrasonic examination is performed on rough-machined parts after all heat treatments have been completed. The finished surfaces are subjected to dye penetration examination in accordance with the requirements of RCC-M.
• The flywheel is available for inspection by removing the flywheel cover.
• Six holes in the flywheel enable, without disassembly, periodic in-service ultrasonic examination of the most stressed areas located in the corners of the keyways.
Because of these design provisions and inspection measures, the probability of a missile induced by a failure of the flywheel can be expected to be so low that this event can be screened out from PSA.
1.2.2.2. Missiles due to Failure of Valves or Failure of a Control Rod Drive Mechanism
1.2.2.2.1. Valves
The following “valve” missiles, involving a range different valve masses, are analysed in order to bound the range of possible missiles effects:
• Failure of a reactor coolant system safety valve mounted on top of the pressuriser, or an additional valve provided for the case of a severe accident. The three reactor coolant system safety valves are of identical design and are mounted on top of the pressuriser in the same valve compartment.
• Failure of a chemical and volumetric control system RCV [CVCS] isolation valve. The isolation valves are located in a dedicated compartment and are separated from the containment by a concrete wall.
• Failure of the safety injection/residual heat removal system RIS [SIS] /RRA [RHRS] valves. There are four nearly identical physically separate compartments for the safety injection/residual heat removal system RIS [SIS] /RRA [RHRS], assigned to the four reactor coolant system loops. The analysis of missile effects is performed for postulated failure of the largest diameter valve.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 5 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
The sphere of influence of missiles generated by such valves is limited by:
• the walls, floors and ceilings surrounding the reactor coolant loops, as well as the pressuriser and the PZR valve room,
• the missile protection cylinder,
• divisional separation between structures, primary/secondary loop separation walls (Reactor Building, Fuel Building, Safeguard Buildings, Service Water Pump Buildings, Diesel Buildings),
• structures between the main feedwater (ARE [MFW]) and main steam valve stations of the same loop and between the different loops.
1.2.2.2.2. Control rod drives
Failure of a control rod drive mechanism (CRDM) housing could lead to the ejection of the rod drive assembly and control rod cluster out of the core under the differential pressure of approximately 155 bar acting on the rod drive assembly. The rod drive assembly is likely to become completely separated from the control rod cluster and hurled against the pool slabs.
The consequence of the event would be a small LOCA, which is already considered as an initiating event of the PSA. No safety system would be affected. The event is covered by the SB-LOCA analysis, because its assessed frequency is much lower than that of SB-LOCA.
Summary of probabilistic assessment for missiles (Valves and Control Rod Drives)
In Sub-chapter 13.1, it is demonstrated that the barriers are designed such that only the affected safety train would be lost as a result of valve and control rod drive missiles.
From PSA point of view this means that the failure probability of the passive barriers can be assessed to be zero. Therefore, these missile events can be screened out of the PSA. Their contribution to the core damage frequency is covered by the analyses of events having the same effects on the plant and its safety equipment, but at a much higher frequency of occurrence.
The table below shows a summary of the “probabilistic” assessment for these missiles (Valves and Control Rod Drives).
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 6 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
Missile Analysis feature
- PZR safety valves
- RCV [CVCS] isolation valves
- RIS [SIS] isolation valves.
RCV [CVCS] valves outside containment (HP part)
Valve X Control Rod Drives
Building Containment Fuel Building Safeguard Building Containment - Reactor Pit
Barrier Walls of the relative valve compartment
Walls of the Fuel Building part
Walls of the Safeguard Building
Slabs covering the reactor pit and its walls
Effect on the plant SB-LOCA V-LOCA Loss of the affected
safety train SB-LOCA
Impact on other safety train None None None None
Effect on the Containment None None None None
1.2.2.3. Machinery/equipment used during shutdown
According to present knowledge no machinery or equipment will be used in safety critical areas during shutdowns which could be a source for missiles.
1.2.2.4. Results
The numerous levels of defence show that the EPR is well protected against missiles.
1.3. DROPPED LOADS
The general approach for this analysis is based on section 5 “Dropped Loads” within Sub-chapter 13.2, “Protection against Internal Hazards”.
1.3.1. Design and classification of handling devices
In order to cope with heavy loads, the design of handling devices is subject to specific regulations. In section 5 of Sub-chapter 13.2, the following three classifications of the handling devices - according to hazard potential - are used:
• Increased requirements
• Additional requirements
• Non-classified
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 7 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
The rules for the classification are defined in section 5 of Sub-chapter 13.2. Lifting devices are classified in accordance with the results of a simplified hazard analysis which evaluates the consequences of a postulated load being dropped from the associated lifting device.
The consequences are considered to be unacceptable, if they could lead to:
• A criticality accident or,
• A loss of decay heat removal function or,
• A release of radioactivity leading to radiation exposure in the vicinity of the unit which exceeds PCC-4 limits.
The associated lifting device is then classified as having “increased requirements”. Fulfilment of these requirements enables the possibility of damage due to the dropped load to be discounted.
The consequences are considered to be serious, if they could lead to:
• A non-isolable release of primary coolant into the containment or,
• A failure which leads to consequential failure of an F1 system or,
• A release of radioactivity leading to increased radiation levels inside the area which affects the classification of radiological zones.
The associated lifting device is then classified as having “additional requirements”.
The classification of the handling devices is given in Sub-chapter 3.2 – Table 5.
The main hoist of the reactor polar crane, which is classified as having “additional requirements”, is used for handling heavy components during plant outages. It is used for transport of the following heavy equipment (weighing up to 35 tonnes).
• Multiple-stud tensioning machine,
• Reactor pressure vessel closure head,
• Upper and lower core internals of the reactor pressure vessel
• Setdown area partition gate
• Cover slabs
Specific lifting attachments are used for these different equipment items.
For the probabilistic evaluation of heavy load drop, the following aspects are important:
The main hoist is designed for increased requirements. These requirements are typically satisfied by designing the main hoist and the specific lifting attachments with a double kinematical chain.
The main hoist supports a 320 tonne hook.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 8 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
The risk of a load drop involving a fuel element transport cask (critical time period of 10 hours) arises when a crane is equipped with a single kinematical chain. A crane with a double kinematical chain as foreseen in the EPR design is much more reliable.
Due to increased requirements on main hoist of the reactor polar crane and the design provisions excluding heavy load drops, the probability of a heavy load drop is expected to be less than 1E-06/year. This value is consistent with operating experience in US NPP for all types of cranes [Ref-1].
A study has been performed to assess the consequences of a drop of the RPV closure head during lifting operations [Ref-2]. This study concluded that a drop of the RPV closure head is the bounding case and that the mechanical integrity of the vessel nozzles, and thus decay heat removal from the core and the integrity of the fuel assemblies, is not endangered.
Due to the low initiating event frequency (<1E-06/y) and the results of the structural analysis confirming that the residual heat removal function remains available, heavy load drop is screened out from the PSA analysis.
This screening out is supported by the fact that this event is not addressed in typical international PSA guidelines (IAEA Guide [Ref-3], EUR [Ref-4], NUREG and ASME [Ref-5]).
1.3.2. Summary of probabilistic assessment
From a PSA point of view, only events potentially leading to the possibility of core damage need to be investigated. Core damage is related to the classification criteria for handling devices
• loss of reactivity control (criticality accident) and
• loss of the RHR function,
it can be concluded that the only load drops that could lead to core damage are those from cranes designed according to “additional requirements”. However, these additional requirements, if satisfied, are such that the probability of a load drop leading to core damage is so low that the events can be screened out from the PSA.
All other loads, by definition, do not have the potential for core damage as defined in the Level 1 PSA.
1.4. INTERNAL EXPLOSIONS
The analysis of risk associated with internal explosions will be undertaken later in the licensing process after completion of detailed design studies.
Design provisions aim to minimise the risk associated with this hazard.
1.5. FIRE
Fire events relevant to PSA are internal fires which could induce the initiation of a transient in the plant involving either a direct reactor trip or affecting, totally or partially, the function of a safety system. Fires affecting a safety system function typically require a precautionary plant shutdown to bring the reactor to a safe state.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 9 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
1.5.1. Scope
The scope of this analysis is limited to fires that are initiated from fire sources within the plant (internal fires).
In accordance with the early stage of the plant design the fire PSA is performed with a number of specific limitations and assumptions, such as:
• the study is performed at building or division level, rather than at the level of specific areas or components,
• the study considers only at-power operation,
• the study takes into account the design principle that redundant sections of the engineered safeguards are generally located in separate fire compartments,
• conservatively, all the equipment located in an affected building / division (i.e. one safeguard building / one division of fuel building, turbine hall, one Diesel Building etc.) is assumed to be unavailable for contributing to plant safety. Therefore, effects such as fire-induced explosions, structural collapse, missile generation and propagation of smoke and heat are not analysed separately,
• fire detection and extinguishing is taken into account by a simplified approach by evaluating its effect on initiating event frequency,
• fire protection systems are not analysed in detail.
The core damage frequency resulting from internal fire events is calculated by the PSA.
1.5.2. Methodology of the Fire PSA
The main components of the fire PSA are:
• identification of fire events relevant to safety
• estimation of the initiation frequencies for these fire events and
• calculation of the resulting core damage frequencies.
Guidance is provided for this analysis by NUREG/CR-6850 [Ref-1].
1.5.2.1. Evaluation of the scope of fire events
The mapping of internal fire events is performed at the building level. Generally it takes into account the buildings where safety equipment is located or where a fire could induce a transient in the plant.
The buildings considered in this approach are the safeguard buildings (and the fuel building), housing the safety equipment, and the turbine building, housing important operational equipment, whose failure could trigger a plant transient.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 10 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
1.5.2.2. Evaluation of frequencies
At this stage of the EPR design, the detailed plant layout is still being refined. Consequently, generic data defined in NUREG/CR-6850 [Ref-1] are used for the evaluation of fire frequencies.
Component specific fire data of NUREG/CR-6850, Table 6-1 [Ref-1] are used to evaluate fire initiating event frequencies in fire compartments identified as relevant to plant safety.
Fire ignition frequencies for components located in the analysed buildings / fire cells and defined as ignition sources in NUREG/CR-6850, Table 6-1 [Ref-1] are identified. The number of components for which specific fire data are available, and the total number of such components in the plant, are needed to estimate fire frequencies. As this knowledge is not yet fully available for some types of components, (e.g. junction boxes, cabling, electrical cabinets etc.) the ratio between the number of components in a building and the total number of such components in the plant is estimated by engineering judgement.
Component types defined as ignition sources in NUREG/CR-6850 [Ref-1], and present in the building to be analysed, are identified. A plant-wide specific ignition frequency corresponding to the total frequency of fires caused by each specific type of component is taken from NUREG/CR-6850. This number has to be weighted by the proportion of the total number of components that are present in that specific building. Thus, for each building and for each type of component an ignition frequency for the component type is determined by multiplying the ignition frequency for the component type from NUREG/CR-6850 [Ref-1] by the fraction of the component type that is physically located within the building. The ignition frequency of the building is then the sum of the adjusted ignition frequencies for the component types that are located within the building. The main source used to evaluate the number of components per location is the electrical load list that lists all components that have a power supply within the buildings.
As the component specific fire data of NUREG/CR-6850, Table 6-1 [Ref-1] are based on experience from US plants, a correction factor is applied to account for the greater number of components in the EPR. The values used are as follow: 1.1 for pumps, 1.5 for cabinets, 2 for batteries.
The component-specific fire data in NUREG/CR-6850, Table 6-1 [Ref-1] for cables is based on experience of unqualified or a mix of qualified and unqualified cables. This data does not include the use of fire retardant cables as used in EPRs. Therefore, a correction factor of P=0.01 is applied to take account of the fire retardant cabling used in the EPR, based on conservative expert judgement. This correction factor is also applied to the fire ignition frequency of junction boxes. This assumption is based on the requirement in ETC-F which states that cables and wiring shall be classified as at least “C1”, where “C1” indicates “fire retardant”. A fire of synthetic clamps/terminal or wiring within the junction box produces a small local fire which does not affect safety related equipment in a global manner (such that total redundancy is lost). The most likely spread of a fire in a junction box is assumed to occur via the cabling connected to the junction box. The spread of a fire in a junction box in such a manner is prevented due to the use of fire retardant cables. Therefore, the same correction factor (P=0.01) as for fire from retardant cabling is applied.
Based on this approach, the frequency of a fire in a building / fire cell is evaluated.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 11 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
1.5.2.3. Failure modes and affected components
The different types of components modelled in the PSA exhibit different behaviours when exposed to a fire. The failure modes of each type of component analysed are defined in Sub-chapter 15.2 - Table 1. The assumption that passive components e.g. pipes, vessels, are not impacted by fire events follows NUREG/CR-6850 [Ref-1]. A component is assumed either not to be affected by a fire, become inoperable, or in the case of valves, fail “as is”, i.e., become fixed in their pre-fire positions. Spurious operation is not considered as a primary failure mode. However, it is considered as a potential consequence of cable failure.
Table 1 of Sub-chapter 15.2 summarises the modelling in the PSA the different behaviour of components exposed to a fire, with the overall assumption applied to the unavailability of the components within an affected building/ division.
Cable failure is assessed as follows: the primary failure mode is assumed to be open-circuit failure. The cable is considered to be destroyed, and all the components powered and/or controlled from this cable to be inoperable. A secondary failure mode is closed-circuit failure, or ‘hot short’. This mode is assumed to lead to spurious operation of components supplied and/or powered by the cable. The likelihood of this particular failure mode depends on the type of circuit configuration, which depends on the type of component supplied. Spurious operation due to hot shorts is considered for Motor-operated valves (MOV) and Solenoid-operated valves (SOV).
1.5.2.4. Fire Suppression
Automatic fire suppression is credited in the fire PSA in one case:
• The Turbine Building where it is assigned a failure probability of 0.1. In practice the factor of 0.1 is modelled by a specific basic event.
Manual fire suppression is generally not credited in the PSA, except in the Main Control Room, which is permanently manned. Manual suppression of a fire in the Main Control Room is assigned a failure probability of 0.01 and is modelled by a specific basic event.
1.5.2.5. Event tree modelling
Modelling of the event tree associated with the internal fire hazard is based on modelling of the event tree for the most transient most likely to be initiated by the fire event, taking into account the equipment availability affected by the fire event.
1.5.3. Mapping of internal fire events
As stated in sub-section 1.5.2.1 of this sub-chapter, the mapping of internal fire events (identification of fire area) is performed at the building level.
With regard to the layout of the buildings, the mapping uses information presented in Sub-chapter 1.2 “General Description of the unit” and section 7 ” Fire protection systems and equipment” of Sub-chapter 13.2 “Protection against Internal Hazards”. Information about the layout of the fire compartments is also given in the Safety Fire Compartment report [Ref-1] and [Ref-2].
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 12 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
In accordance with Task 4 of NUREG/CR-6850 [Ref-3], a fire area can be screened out provided that the following criteria are fulfilled:
1. It does not contain safety relevant components that would be vulnerable to a fire.
2. A fire in the fire area would not cause an automatic plant trip nor constrain the operators from performing a manual plant trip.
Note: If the fire affects only one redundant element of a safety system, without causing an initiating event that would require operation of this system, it is screened out from the analysis. This is the case even when the system might eventually be required to secure long term plant shutdown.
This screening reduces the number of Buildings that require analysis. As the mapping is performed at building level, the building itself is initially considered as a fire area. Sub-chapter 15.2 - Table 2 summarises the mapping of buildings for the EPR Fire PSA.
No generic quantitative screening criteria are used, but specific quantitative screening criteria are used in the analysis and defined in the relevant sections of this sub-chapter.
1.5.4. Fire Analysis / Modelling
1.5.4.1. Fire in the containment
Two relevant fire scenarios are identified for an internal fire hazard in the containment:
Fire in the RCP [RCS] loop compartment
The following components, identified as a fire ignition sources in NUREG/CR-6850 [Ref-1], are located in the RCP [RCS] loop compartments:
Ignition source Generic frequency
Reactor coolant pumps 6.1E-03/y x 0.01 (see below)
Cables 4.1E-03/y (plant wide) x 0.01 (see sub-section 1.5.2.2 of this sub-chapter)
Electric motors of valves 4.6E-03/y (plant wide)
Junction boxes 1.9E-03/y (plant wide) x 0.01 (see sub-section 1.5.2.2 of this sub-chapter)
Most of the cables in the plant are assumed to be in the electrical area of the safeguard buildings, the switchgear buildings and the cable ducts. Only a small proportion (<10%) of the cabling is expected to be located in the containment. Having in mind that fire retardant cables are used in the EPR, the frequency of a fire initiated by cabling can be neglected for the estimation of the frequency of a fire in the RCP [RCS] loop compartment. For junction boxes, more than 10% are expected to be in the containment, as each of the cable penetrations is equipped with a junction box in the annulus and the outer containment. The number of junction boxes in the RCP [RCS] Loop compartments is expected to be so low that the frequency of a fire initiated by junction boxes can be neglected for the estimation of the frequency of a fire in the RCP [RCS] loop compartment.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 13 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
The number of motor valves inside the containment is estimated as about 16% of the motorised valves in the electrical consumer list. The remaining motorised valves are located in the safeguard buildings. However, most of the motor valves inside the containment are typically not in operation. Therefore, motorised valves are neglected as an ignition source inside the RCP [RCS] Loop compartment.
Therefore, the reactor coolant pumps are identified as the main ignition source for a fire in this area.
From Table 6-1 of NUREG/CR-6850 [Ref-1], the generic frequency of a fire on one Reactor Coolant Pump is 6.1E-03/y.
Taking into account the protective action of the passive oil collection devices, which strongly limits the effect of fire, a factor of 0.01 is used, which represents the conditional probability of having a fire commensurate with the impact on the safety systems described below.
The frequency of a fire on a reactor coolant pump in the RCP [RCS] loop compartment is thus estimated to be 6.1E-05/y.
This fire is conservatively assumed to lead to:
• consequential failure of SG level control on the two SGs in the neighbourhood of the respective Reactor Coolant Pump (SG3 and 4 are assumed to be the two SGs affected by the fire)
• consequential failure of the cables of PZR bleed valves, with the result that primary bleed cannot be credited. The unavailability of primary feed and bleed is also assumed in the level 2 modelling.
This event is modelled by event tree IH F CTM_AB. This event tree models the sequence of events that follow a plant trip (see section 5.8 of Sub-chapter 15.1) which is assumed to be the consequence of the failures described above.
The resulting core damage frequency is calculated to be 3.0E-09/y (point estimate), contributing 0.4% to the overall CDF.
The main contribution to the CDF is from fire in the RCP [RCS] loop compartment followed by the loss of the secondary side heat removal function, due to the failure of both the ASG [EFWS] and AAD [SSS] to feed the remaining SGs.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 14 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
Fire in the pressuriser valve compartment
The following components identified as a fire ignition sources in NUREG/CR-6850 [Ref-1] are located in the pressuriser valve compartments:
Ignition source Generic frequency
Cables 4.1E-03/y (plant wide) x 0.01 (see sub-section 1.5.2.2 of this sub-chapter)
Electric motors of valves 4.6E-03/y (plant wide)
Junction boxes 1.9E-03/y (plant wide) x 0.01 (see sub-section 1.5.2.2 of this sub-chapter)
Assuming for the ignition source cables that ≤1% of the cable mass of the plant in the PZR valve compartment the frequency of a fire ignited by cables is estimated as:
4.1E-03/y x 0.01 x 1% = 4.1E-07/y.
The motorised valves located in the pressuriser valve compartment are typically not in operation and the power is cut off. As any junction boxes would belong to the motor valves, the power would be cut off from these also. Therefore, motor valves and junction boxes are neglected as an ignition source in the pressuriser valve compartment.
Therefore, the frequency of a fire in the PZR valve compartment is estimated to be lower than 1E-6/y. A PZR valve might spuriously open in that case, but this frequency of this event is much lower than the frequency of a PZR leak event which is already addressed in the PSA. Assuming primary bleed to be unavailable, this event can in any case be neglected in the modelling, as cool-down to MHSI injection pressure via the secondary side is not affected. The PZR pressure measurement initiating this cool-down could be affected if there was a spurious indication of low pressure. However, it is assumed that diverse actuation via the safety automation system I&C on RCP [RCS] pressure <min would not be affected by the fire.
Therefore, fire in the pressuriser valve compartment is not considered in the PSA modelling.
1.5.4.2. Fire in the reactor building annulus
The following components identified as a fire ignition sources in NUREG/CR-6850 [Ref-1] are located in the reactor building annulus:
Ignition source Generic frequency
Cables 4.1E-03/y (plant wide) x 0.01 (see sub-section 1.5.2.2 of this sub-chapter)
Junction boxes 1.9E-03/y (plant wide) x 0.01 (see sub-section 1.5.2.2 of this sub-chapter)
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 15 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
The reactor building annulus is divided into four fire cells corresponding to the four divisions, by vertical fire separation elements and horizontal ceiling elements between the lower cable area and area of horizontal annular cable routing. Fire propagation along the fire retardant FRNC-cables beyond the fire cell affected is disregarded, because of the small amount of burnable material located in the annulus.
Therefore, fire propagation from a fire in a fire cell of one division to fire cells of other divisions is disregarded.
Most of cables in the plant are assumed to be in the electrical area of the safeguard buildings, the switchgear buildings and the cable ducts. Only a small part (estimated as <10% of the cable mass in the plant) is expected to be located in the reactor building annulus (similar assumption as for the containment). Therefore, the frequency of a fire ignited by cables is estimated as:
4.1E-03/y x 0.01 x 10% = 4.1E-06/y.
For junction boxes, a higher portion (estimated as 20%) is expected to be in the reactor building annulus, as each of the cable penetrations is equipped with a junction box in the annulus and the outer containment. Therefore, the frequency of a fire ignited by a junction is estimated as:
1.9E-03/y x 0.01 x 20% = 3.8E-06/y.
Therefore, the frequency of a fire in a fire cell of the annulus is estimated to be lower than 1E-5/y.
The consequences of a fire in a fire cell of the reactor building annulus are assumed to be similar to those of a fire in one of the safeguard buildings. The initiating event frequency for a fire in one safeguard building is orders of magnitude higher. Therefore a fire in a fire cell of the reactor building annulus is assumed to be covered by the modelling of a fire in a safeguard building.
1.5.4.3. Fire in a Safeguard Building
The following components identified as potential fire ignition source in NUREG/CR-6850 [Ref-1] are located in a safeguard building:
I&C and Electrical area
Ignition source Generic frequency
Electrical cabinets 4.5E-02/y (plant wide x 1.5 (see sub-section 1.5.2.2 of this sub-chapter)
Transformers 9.9E-03/y (plant wide)
Batteries 7.5E-04/y (plant wide) x 2 (see sub-section 1.5.2.2 of this sub-chapter)
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 16 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
Mechanical area
Ignition source Generic frequency
Pumps 2.1E-02/y (plant wide x 1.1 (see sub-section 1.5.2.2 of this sub-chapter)
Cables 4.1E-03/y (plant wide) x 0.01 (see sub-section 1.5.2.2 of this sub-chapter)
Junction boxes 1.9E-03/y (plant wide) x 0.01 (see sub-section 1.5.2.2 of this sub-chapter)
Electric motors of valves 4.6E-03/y (plant wide)
The Safeguard Buildings 1-4 are divisionally separated into areas, each one forming a Safety Fire Compartment.
Each safeguard building is sub-divided into Unavailability Fire Compartments for the:
• radiological controlled mechanical area,
• radiological non-controlled mechanical area,
• cable floors,
• I&C and electrical switchgear rooms,
• HVAC equipment rooms,
• battery rooms,
• cable ducts
Despite this sub-division, in the PSA all equipment in the safeguard building is assumed to be lost in the case of a fire (benefits of internal fire barriers are conservatively ignored).
In Safeguard Building 2 additional Safety Fire Compartments exist for the Main Control Room (MCR). Fire in the MCR is treated separately. Propagation of a fire in the safety fire compartments of safeguard building 2 to the MCR is assumed not to occur.
In the Safeguard Building 3 additional Safety Fire Compartments exist for the Remote Shutdown Station (RSS). Fire in the RSS is treated separately. Propagation of a fire in the safety fire compartments of safeguard building 3 to the RSS is assumed not to occur.
With regard to the consequences of a fire in a safeguard building electrical area it is, conservatively, assumed that each component supplied by normal and emergency power supply system in that safeguard building is lost. This affects components in other buildings, for example:
• the RCV [CVCS], RBS [EBS], PTR [FPCS] in the fuel building;
• the Reactor Coolant Pumps and the Pressuriser valves in the containment,
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 17 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
• the VDA [MSRT] valves and Main feedwater valves in the Main feedwater valve compartment.
A fire in the mechanical area affects all components in that safeguard building, LHSI and MHSI, ASG [EFWS], EVU [CHRS], Chilled water system (DEL) and RRI [CCWS]. The chilled water system and component cooling water system serve as support systems for other systems in the safeguard building and other buildings e.g.
• the RCV [CVCS], and PTR [FPCS] in the fuel building;
• the Reactor Coolant Pump: cooling of thermal barrier and the motors in the containment.
This means that fire in the mechanical area and the electrical area would lead to similar consequences and can be therefore treated as a single event.
Frequency estimation for a fire in a safeguard building
Most of the electrical cabinets are located in the safeguard and switchgear buildings. There are a few cabinets in the Diesel generator buildings (three in DG Building 1 and 4 and one in DG building 2 and 3) and a few in the Nuclear auxiliary and waste buildings. It is assumed that more than 4/6 (70%) of the electrical cabinets are located in the safeguard buildings. Therefore, the frequency of a fire in a safeguard building ignited by electrical cabinets is:
4.5E-02/y x 1.5 x 70% = 4.7E-02/y.
The same proportion is assumed to be valid for the batteries, taking into account the approximate 1400 kVA battery capacity in the safeguard buildings and the 500 kVA capacity in the switchgear buildings. Therefore, the frequency of a fire in a safeguard building, ignited by an electrical cabinet, is:
7.5E-04/y x 2 x 70% = 1E-03/y
For transformers it is assumed that 50% of the plant transformers are located in the safeguard buildings. Therefore, the frequency of a fire in a safeguard building ignited by a transformer is:
9.9E-03/y x 50% = 5E-03/y.
Pumps in operation are considered as potential fire ignition sources (estimated as about 30 main pumps). In the safeguard buildings, 2 of the 4 RRI [CCWS] pumps are in operation during normal power operation. This is estimated as being less than 10% of all pumps operating (only main fluid system pumps are considered) during normal reactor operation. Therefore, the frequency of a fire in a safeguard building ignited by a pump is:
2.1E-02/y x 1.1 x 10% = 2.3E-03/y.
Motors on valves located in the safeguard buildings are typically isolated from the power supply, except for the control valves of the RRI [CCWS] train in operation. This is estimated to be less than 1% of the total number of valves in the plant. Therefore, valve motors valves and junction boxes are neglected as potential ignition sources in the safeguard buildings.
Due to the use of fire retardant cables, the contribution of cables and junction boxes is two orders of magnitude lower than the other sources mentioned above, and is therefore neglected as an ignition source.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 18 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
Taking account of the frequency contributions from batteries, cabinets and transformers, the frequency of a fire in a safeguard building is estimated as 5.5E-02/y.
The fire event is assumed to lead to consequential failures in the affected safeguard building.
This event is modelled by event tree IH F SB1_AB, which models the sequence of events that follow a partial loss of cooling chain (see section 5.9 of Sub-chapter 15.1) considering the consequential failures described above.
The resulting core damage frequency is calculated as 7.5E-08/y (point estimate), which represents 10.6% of the overall CDF.
The main contribution to the CDF is from the fire in the safeguard building resulting in failure of the component cooling water, the essential service water system and a reactor coolant pump seal LOCA due to failure of the reactor coolant pump shaft seals followed by the failure of the MHSI trains and the failure to perform fast secondary cooldown.
1.5.4.4. Fire in the main steam valve compartment
The following components identified as a fire ignition source in NUREG/CR-6850 [Ref-1] are located in a safeguard building:
Ignition source Generic frequency
Pumps (Oil pumps of the MFW/ MS isolation valves)
2.1E-02/y (plant wide x 1.1 (see sub-section 1.5.2.2 of this sub-chapter)
Cables 4.1E-03/y (plant wide) x 0.01 (see sub-section 1.5.2.2 of this sub-chapter)
Junction boxes 1.9E-03/y (plant wide) x 0.01 (see sub-section 1.5.2.2 of this sub-chapter)
Electric motors of valves (including solenoid)
4.6E-03/y (plant wide)
The I&C cabinets in this location are small I&C cabinets that do not represent significant ignition sources.
MFWS/MSS valve compartments 1-4 are located on top of Safeguard buildings 1 and 4. The MFWS/MSS valve compartments on top of safeguard building 1 contain MFWS/MSS valves for divisions 1 and 2. The MFWS/MSS valve compartments on top of safeguard building 4 contain MFWS/MSS valves for divisions 3 and 4.
The MFWS/MSS valve rooms of division 1 (respectively 4) are separated by fire protection means from the MFWS/MSS valve rooms of division 2 (respectively 3).
Each of the divisionally separated valve rooms is interpreted as one single fire area. Fire progression to the MFWS/MSS valve room of the neighbouring division is assumed to be prevented by engineered fire protection means.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 19 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
Components in MFWS/MSS Valve rooms relevant to fire analysis include:
• MFWS isolation valves (1 per division)
• Main Steam Relief trains (isolation and control valve) (MSRTs) (1 per division)
• Main Steam safety valves (MSSVs) (2 per division)
• Main Steam Isolation valves (VIV [MSIV]s) (1 per division)
Assessment of the initiating event frequency:
The small oil pumps supplying the MFW/ MS isolation valves (2 pumps per division) are not continuously operating. Therefore, they have been not included in the assessment of the total number of main fluid system pumps operating during normal plant operation, considered as potential ignition sources in the safeguard building fire frequency assessment.
The oil pumps of the oleo-pneumatic valves in the MFWS/MSS Valve rooms are assumed to contribute less than 1% to the overall number of pumps in the plant (all pumps) and to be operating less than 10% of the time during normal plant operation.
Therefore, the frequency of a fire in a MFWS/MSS Valve rooms ignited by oil pumps is estimated as
2.1E-02/y x 1.1 x 0.01 x 10% = 2.3E-05/y.
The hydraulic fluid of the oleo-pneumatic
• main steam isolation valves,
• main feed water full load isolation valves
and related equipment, is a phosphate ester without additives which is difficult to ignite. Therefore, it is neglected as an ignition source.
The motors of valves in the MFWS/MSS valve rooms are typically isolated from the power supply. The solenoid pilot valves of MFW and MS isolation valves are power operated. These are estimated to represent less than 1% of the total number of valves in the plant.
Therefore, the frequency of a fire in the MFWS/MSS Valve rooms ignited by motor / solenoid valves is estimated as
4.6E-03/y x 0.01 = 4.6E-05/y.
The fraction of cables and junction boxes is assumed to be less than 1% of the overall quantity of cables and junction boxes in the plant. Due to the use of fire retardant cables the contribution of cables and junction boxes is assumed to be two orders of magnitude lower compared to the other sources mentioned above, and is therefore neglected as an ignition source in the PSA.
Summing the frequency contributions from oil pumps and motor / solenoid valves, the overall frequency of a fire in a in the MFWS/MSS valve room is estimated as 7E-05/y.
A fire in a MFWS/MSS Valve room is assumed to cause failure of the MSRIVs “as is” in the closed position, and to cause failure of the MFWS isolation valves “as is” in the open position.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 20 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
A VIV [MSIV] is assumed to be equipped with a pressurised tank that closes the VIV [MSIV] if its solenoid-operated control valve is de-energised. Closure of a VIV [MSIV] leads to a reactor trip. This event is covered by the SGTR event which has a frequency one order of magnitude higher than that estimated for a fire in the MFW/MSS valve compartment.
Spurious operation due to fire-induced closed-circuit failures (hot shorts) is covered by the modelling of spurious closure of MFW isolation valves which causes a loss of MFW to the affected SG. The initiating event frequency for LOMFW events in which MFW supply is assumed lost to all SGs (not just one SG) is two orders of magnitude higher than that estimated for a fire in the MFW/MSS valve compartment.
Spurious opening of an MSRIV would cause an event similar to a steam line break outside the containment (SLBO, see section 5.3 of Sub-chapter 15.1). Two of the four pilot valves of the MSRIV would need to be spuriously actuated by hot shorts. This probability is estimated to be lower than 0.1.
The frequency of a fire in an MFWS/MSS valve room leading to a spurious opening of the MSRIV is therefore estimated as 7E-05/y x 0.1 = 7E-06/y. Therefore, this event is covered by the modelling of a steam line break events outside containment, the frequency of which is more than two orders of magnitude higher.
1.5.4.5. Fire in Fuel Building
The following components identified as a fire ignition source in NUREG/CR-6850 [Ref-1] are located in a fuel building:
Ignition source Generic frequency
Pumps 2.1E-02/y (plant wide x 1.1 (see sub-section 1.5.2.2 of this sub-chapter)
Cables 4.1E-03/y (plant wide) x 0.01 (see sub-section 1.5.2.2 of this sub-chapter)
Junction boxes 1.9E-03/y (plant wide) x 0.01 (see sub-section 1.5.2.2 of this sub-chapter)
Electric motors of valves 4.6E-03/y (plant wide)
The Fuel Building 30UFA is divisionally separated mainly in two parts Fuel Building 1 and Fuel Building 2, each one of which forms a Safety Fire Compartment: the equipment in these safety fire compartments is mainly assigned to Division 1 and Division 4.
The following components are located in Fuel Building 1 and Fuel Building 2:
• The fuel pool cooling system pumps and related equipment of Fuel Pool Cooling System, spent fuel pool with fuel transfer pit, fuel loading hall with related facilities, Extra Borating system pump and related equipment of Extra Borating System train and equipment of non-safety related systems,
• The charging pumps and related equipment of Chemical and Volume Control System (RCV [CVCS]).
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 21 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
Fire in a Fuel Building is assumed to lead to a loss of the chemical volume and control system. As this system performs Pressuriser level control as well as injection of the Seal water to the Reactor Coolant Pumps, a fire in a Fuel Building is assumed to cause a plant trip.
The Volume Control system, as an operational system, is not divided strictly into two redundant trains. Therefore, the consequence of a fire in the Fuel Building is assumed to be a total loss of the Volume Control system
The Extra Boration System is a two train system.
One train of RBS [EBS] is assumed to be affected by a fire in the Fuel Building.
The Fuel Pool Cooling System (PTR [FPCS]) consists of 2 redundant trains: Train 1 in Fuel Building 1 and Train 2 in Fuel Building 2.
One fuel pool cooling system train is assumed to be potentially affected by a fire in the Fuel Building.
Note: Loss of 1 train of the Fuel Pool Cooling System (PTR [FPCS]) is discussed in Sub-chapter 15.3.
Pumps in operation are considered as a possible fire ignition source. In the Fuel Building three pumps (PTR [FPCS] pump, RCV [CVCS] pump and the Borating pump) are assumed to be in operation during normal power operation. This is estimated as about 10% of the total pumps in operation during normal reactor operation. Therefore, the frequency of a fire in a fuel building ignited by pumps is:
2.1E-02/y x 1.1x10% = 2.3E-03/y.
Motors of valves located in the fuel building mainly belong to systems that are operating or might be operating during normal power operation. The proportion of such valves in the Fuel building is estimated as 8% of the total number of valves in the plant electrical consumer list. Therefore, the frequency of a fire in a fuel building ignited by valve motors is:
4.6E-03/y x 8% = 3.6E-04/y
Due to the use of fire retardant cables, the contribution of cables and junction boxes as ignition sources is two orders of magnitude lower than that of the other sources mentioned above, and is therefore neglected.
Summing the frequency contributions due to pumps and valve motors, the overall frequency of a fire in the Fuel building is estimated as 3E-03/y.
Plant shutdown after a fire in the fuel building will be initiated either automatically or manually by insertion of the control rods into the core. The residual heat removal function is not impaired by a fire in the Fuel building as the components involved in residual heat are located in the safeguard buildings and the turbine hall.
Cold shutdown might require boration by the RCV [CVCS] or by the RBS [EBS]. Both systems are affected by the fire in the Fuel Building. However one RBS [EBS] train or alternatively the MHSI or the accumulators, are available for boration even in case of a fire in the Fuel Building.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 22 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
The initiating event frequency of a fire in the fuel building can be compared to that of a spurious reactor trip (IE frequency = 1/y) where all secondary side systems are available. However the frequency of the initiating event Fire in one Fuel Building is estimated to be more than 2 orders of magnitude lower. Consequently the initiating event fire in the Fuel Building is considered to be covered by the modelling of the spurious reactor trip transient.
1.5.4.6. Fire in the main control room
Frequency of a fire in the MCR is given in Table 6-1 of NUREG/CR-6850 [Ref-1] as 2.5E-03/y (Fire in Control room - ignition source main control board).
A fire in the main control room would be detected by the operators and immediately extinguished before it propagated to develop into a fire leading to the loss of the MCR.
The probability of the operators failing to act is assumed to be P=0.01. Therefore, the frequency of losing the MCR due to fire is 2.5E-05/y.
If the MCR is lost the operator could switch over to control the plant from the RSS. The probability of failure of this action is assumed to be P=0.01.
As the reactor protection I&C system is located in the safeguard buildings, the reactor protection system remains available to bring the plant in a safe state.
Conservatively, only reactor protection system functions are considered to be available because they have priority over spurious signals that could be potentially initiated due to the fire in the MCR.
This fire scenario is modelled by event tree IH F MCR.
The resulting core damage frequency is calculated as 1.5E-10/y (point estimate), contributing 0.02% to the overall CDF.
The major contribution to this CDF is from fire in the MCR followed by failure of the operator to switch control from the MCR to the RSS, combined with a loss of the secondary side heat removal function due to the failure of ASG [EFWS] feeding the SGs.
1.5.4.7. Fire in the Essential service water pump building
Each division in the essential service water pump buildings is designed as one single fire area.
The following components identified as a fire ignition sources in NUREG/CR-6850 [Ref-1] are located in an essential service water pump building:
Ignition source Generic frequency
Pumps 2.1E-02/y (plant wide x 1.1 (see sub-section 1.5.2.2 of this sub-chapter)
Cables 4.1E-03/y (plant wide) x 0.01 (see sub-section 1.5.2.2 of this sub-chapter)
Junction boxes 1.9E-03/y (plant wide) x 0.01 (see sub-section 1.5.2.2 of this sub-chapter)
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 23 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
Ignition source Generic frequency
Electric motors of valves 4.6E-03/y (plant wide)
Safety related components in the essential service water pump buildings are the:
• Essential service water pump (ESW pump building 1-4)
• Essential service water for the severe accident cooling (ESW pump building 1 and 4)
• Isolation MOV downstream of the ESW pump.
Pumps in operation are considered as possible fire ignition sources. In the essential service water pump buildings, 2 of the 4 ESW pumps are in operation during normal power operation. This is less than about 10% of the total number of operating pumps (i.e. main fluid system pumps) running during normal operation. Therefore, the frequency of fires in an essential service water pump building, ignited by pumps is:
2.1E-02/y x 1.1 x 10% = 2.3E-03/y.
The number of motorised valves located in the essential service water buildings is estimated as less than 1% of the total valves in the plant. Therefore, motorised valves are neglected as possible ignition sources in the essential service water buildings.
Due to the use of fire retardant cables the contribution of cables and junction boxes is two orders of magnitude lower than that due to other ignition sources mentioned above and is therefore neglected.
Therefore, the frequency of a fire in an essential service water pump building is estimated as 2.3E-03/y.
The consequences of a fire affecting one division of the essential service water pump building is comparable to those of the “Loss of a cooling chain” transient, the frequency of which is 2 orders of magnitude higher.
Consequently a fire affecting 1 division of the essential service water system is considered to be covered by the modelling of the loss of cooling chain initiating event.
Note: Fire in division 1 or 4 of the essential service water pump building also could affect the essential service water pump supporting the severe accident service water system. This effect on the Level 2 PSA modelling is neglected as small in the fire PSA.
1.5.4.8. Fire in the Main cooling water pump building
The following components identified as a fire ignition source in NUREG/CR-6850 [Ref-1] are located in a main cooling water pump building:
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 24 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
Ignition source Generic frequency
Pumps 2.1E-02/y (plant wide x 1.1 (see sub-section 1.5.2.2 of this sub-chapter)
Cables 4.1E-03/y (plant wide) x 0.01 (see sub-section 1.5.2.2 of this sub-chapter)
Junction boxes 1.9E-03/y (plant wide) x 0.01 (see sub-section 1.5.2.2 of this sub-chapter)
Electric motors of valves 4.6E-03/y (plant wide)
It is conservatively assumed that the circulating water pump building is one fire area.
Pumps in operation are considered as possible fire ignition sources. In the main cooling water pump buildings 4 main cooling water pumps and 1 service water pumps are assumed to be in operation during normal power operation. This is estimated to be less than 20% of the total number of operating pumps (only main fluid system pumps considered) during normal operation. Therefore, the frequency of a fire in a main cooling water pump building ignited by pumps is:
2.1E-02/y x 1.1 x 20% = 4.6E-03/y.
Other ignition sources are neglected as in the analysis of the essential service water system.
The frequency of a fire in a main cooling water pump building is thus estimated as 4.6E-03/y.
The main cooling water pumps and the main cooling water pumps are affected by the fire.
This event is covered by the modelling of the “Loss of condenser” initiating event (see section 5.6 of Sub-chapter 15.1) the frequency of which is more than one order of magnitude higher than that of a fire in the main cooling water pump buildings.
1.5.4.9. Fire in the Switchgear building of the Turbine Island (TI)
The following components identified as a fire ignition sources in NUREG/CR-6850 [Ref-1] are located in the switchgear buildings of the TI:
Ignition source Generic frequency
Electrical cabinets 4.5E-02/y (plant wide x 1.5 (see sub-section 1.5.2.2 of this sub-chapter)
Transformers 9.9E-03/y (plant wide)
Batteries 7.5E-04/y (plant wide) x 2 (see sub-section 1.5.2.2 of this sub-chapter)
Cables 4.1E-03/y (plant wide) x 0.01 (see sub-section 1.5.2.2 of this sub-chapter)
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 25 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
As explained in the analysis of the safeguard buildings, most of the electrical cabinets are located in the safeguard and TI switchgear buildings. It is assumed that 20% of the electrical cabinets (less than 2/6 as some electrical cabinets are located in other buildings) are located in the switchgear buildings. Therefore, the frequency of a fire in a TI switchgear building ignited by an electrical cabinet is:
4.5E-02/y x 1.5 x 20% = 1.35E-02/y.
The proportion of 20% is assumed to be also valid for the batteries, taking into account the 1400 kVA approximate battery capacity in the safeguard buildings compared to 500 kVA in the switchgear buildings. Therefore, the frequency of a fire in a safeguard building ignited by batteries is:
7.5E-04/y x 2 x 20% = 3.0E-04/y
For transformers it is assumed that 30% of the plant transformers are located in the switchgear buildings. Therefore, the frequency of a fire in a safeguard building ignited by a transformer is:
9.9E-03/y x 30% = 3E-03/y.
Due to the use of fire retardant cables the contribution of cables and junction boxes is two orders of magnitude lower compared with the other ignition sources mentioned above, and is therefore neglected.
Summing the contributions from electrical cabinets, batteries and transformers, the frequency of a fire in a switchgear building is estimated as 1.7E-02/y.
This fire event is assumed to lead to consequential failure of all components in the affected switchgear building. The normal power supply for the TI and Nuclear Island (NI) division 1 and 3 or division 2 and 4 could be affected by such a fire. As a consequence secondary side systems of the TI available for heat removal functions may be lost due to the fire. In addition the normal power supply to the two divisions of the NI supplied via the medium voltage busbars in the affected switchgear building would be lost. As a consequence a reactor trip would be initiated and the corresponding emergency diesel generators started automatically.
This fire scenario is modelled by event tree IH F SWGB_AB.
This event tree used to model the sequence is that used for events that follow a loss of off-site power for 24 hours (see section 5.7 of Sub-chapter 15.1) with the inclusion of the consequential failures described above (normal power supply of NI division 2 and 4 is assumed unavailable).
The resulting core damage frequency is calculated to be 1.4E-08/y (point estimate), contributing 2.0% to the overall CDF.
The main contribution to the CDF is from a fire in a switchgear building followed by the loss of secondary side heat removal function due to the failure of the ASG [EFWS] feeding the SGs and failure of the operator to perform primary feed and bleed.
1.5.4.10. Fire in the Turbine Building
Frequency of a fire in the turbine hall is obtained from Table 6-1 of NUREG/CR-6850 [Ref-1] as 4.3E-02/y. As stated in sub-section 1.5.2.4 of this sub-chapter, the benefit of automatic fire suppression is credited for the turbine hall, with a failure probability of 0.1.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 26 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
A fire in the turbine building is assumed to lead to the loss of the main operational equipment located in this building.
It is conservatively assumed that the secondary side systems needed for heat transfer, located in the turbine building, are unavailable due to the fire event. The start-up and shutdown system (AAD [SSS]) and the main steam bypass (GCT [MSB]) are thus assumed unavailable.
The loss of the secondary side heat transfer systems mainly leads to:
• reactor trip (e.g. due to “Loss of Condenser” or “Loss of normal Feedwater Flow”),
• actuation of the main steam release valves (VDA [MSRT]),
• actuation of the emergency feedwater system (ASG [EFWS]).
This fire scenario is modelled by event tree IH F TH_AB.
This event tree models the sequence of events that follow a loss of main feedwater (see section 5.6 of Sub-chapter 15.1) allowing for the consequential failures.
The resulting core damage frequency is calculated as 2.9E-09/y (point estimate), contributing 0.4% to the overall CDF.
The main contribution to the CDF is from the fire in the turbine building followed by a loss secondary side heat removal function due to the failure of ASG [EFWS] feeding the SGs and failure of the operators to perform primary feed and bleed.
1.5.5. Results
The frequency of core damage (CDF) induced by an internal fire hazard in at-power states, from all the sources described in sub-sections 1.5.4.1 to 1.5.4.10 of this sub-chapter is calculated as a point value of 9.46E-08/year.
The contributions are:
ID Description
Core Damage
Frequency (/ry)
Contribution to IH CDF
Contribution to Total CDF
F SB1_AB Fire - Safeguard Building 1 7.49E-08 74.7% 10.6%
F SWGB_AB Fire - Switchgear Building 1.37E-08 13.8% 2.0%
F CTM_AB Fire - Containment 3.04E-09 3.0% 0.4%
F TH_AB Fire - Turbine Hall 2.88E-09 2.9% 0.4%
F MCR Fire - Main Control Room 1.49E-10 0.2% 0.02%
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 27 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
Discussion of fire during plant shutdown
There are two opposing factors to be considered when considering the occurrence frequency of a fire during plant shutdowns and the consequences of such a fire:
1. A fire during plant shutdown is more probable than during at-power states due to the maintenance / repair (e.g. welding) work that is performed during plant shutdowns.
2. A fire due to repair work during plant shutdowns would be expected to affect a train which is already unavailable due to maintenance. It is likely that the fire will not induce additional unavailability of components, and therefore the consequences are likely to be less serious.
In addition, a fire would be more likely to be detected and controlled during shutdown because personnel working on systems and components for testing and maintenance would rapidly become aware of the fire and the longer grace periods available during plant shutdown would lead to more reliable fire fighting measures.
Therefore, it is very likely that the contribution of fire during shutdown to core damage frequency is smaller than for power states. This assumption will be addressed again in site specific safety submissions, when outage and maintenance activities are more clearly defined.
1.6. FLOODING
A flooding event in the PSA sense is an event which induces a component failure initiating a plant transient involving reactor trip (e.g. loss of main heat sink) or which impairs the function of a safety system. In the second type of event it is assumed that a precautionary plant shutdown will be required.
1.6.1. Scope
Due to the generic status of the plant design, the flooding PSA is performed with specific limitations and assumptions, such as:
• the study is performed at building level, rather than at the level of local areas inside buildings
• the study is performed for at-power operation,
• the study takes into account the general design principle of locating the redundant elements of the engineered safeguards in separate divisions,
• conservatively, all the equipment located in the flooding area is assumed to be unavailable for ensuring plant safety. Therefore, effects such as jet impingement, pipe whip, humidity or condensation are not analysed separately,
• for the evaluation of initiation frequencies, only generic values are used,
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 28 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
• a flooding event is defined as a leakage and failure to isolate the break. Flooding detection and isolation is modelled using a simplified approach through its impact on the initiating event frequency,
o Leak before rupture can be assumed because of the low energy and the quality of the pipework. It is assumed that only an un-isolated leak can cause flooding to such an extent that safety equipment in a flooding area is affected.
• flooding detection instrumentation equipment is not considered,
o This approach is conservative, since the failure probability of the detection means is covered by the assumed probability of break isolation failure because it can be assumed that the failure probability of flooding detection instrumentation is lower than the assumed failure probability of isolation (P=0.1).
• automatic reactor trip is assumed not to be prevented by flooding.
o The basis of this assumption is that flooding will not affect the I&C rooms in the safeguard building (located at a higher level than the water carrying systems). In addition, reactor trip is designed to be fail safe.
The core damage frequency resulting from internal flooding events is calculated below.
1.6.2. Methodology of the Flooding PSA
The main steps in this simplified flooding PSA are:
• the evaluation of the scope of flooding events relevant to safety,
• the estimation of the initiation frequencies for these flooding events and
• the calculation of the resulting core damage frequencies.
1.6.2.1. Evaluation of the scope of flooding events
The mapping of initiating flooding events is performed at building level mainly taking into account buildings where safety equipment is located or where a flooding event could induce a transient in the plant.
The buildings considered in this approach are buildings housing safety equipment and important operational equipment whose failure could cause a plant transient. Therefore, the screening of flooding events is qualitative not quantitative.
1.6.2.2. Evaluation of frequencies
The frequency flooding events in buildings is derived from the failure rates for piping leaks in representative fluid systems.
The systems of interest are those with a significant fluid inventory or those which draw fluid from an effectively inexhaustible source.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 29 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
The failure (leakage) rates for the systems mentioned above are derived from the “PRA Procedures Guide in Chapter 11.4 of NUREG/CR-2300 [Ref-1], and also from EPRI TR-102266 [Ref-2] and EG&G-SSRE-9639 [Ref-3] by weighting the approximate piping lengths of a system within the buildings under consideration.
1.6.2.3. Failure modes and affected components
In any Flood Area, a flood event from a system that is not been screened out of the analysis is conservatively assumed to release the largest inventory of all the systems present in the Flood Area. The event is assumed to result in the failure of all components listed below that are present in the area, below the level of the maximum flood:
AFFECTED EQUIPMENT UNAFFECTED EQUIPMENT
Valves (excluding check valves and safety valves), Pumps, Compressors, Fans, Diesel Generators, Electrical Equipment, Cable Splices, Junction Boxes, Instrumentation, Ducting, Air Coolers Vaporisers/Heaters
Check valves, Safety valves, Cables, Strainers/Filters, Heat Exchangers, Tanks/Accumulators, Piping
Expected Impact of Flooding on Different Component Types
The safety equipment of the affected train is conservatively assumed to be unavailable, due to loss of function of active mechanical and electrical equipment.
1.6.2.4. Countermeasures protecting against flooding
Once a flood is detected e.g. by a sump alarm system, the operator will try to find and isolate the break. The probability of human error in detecting and isolating a break is assessed, taking into account the grace period available before the leak impacts on system functions.
If there are no means provided to stop the leak flow, the frequency of the leak corresponds to the frequency of the flooding event.
1.6.2.5. Event tree modelling
The event tree model describing the internal flooding event is based on the event tree model for the transient most likely to be initiated by the flooding event, taking into account the equipment unavailabilities due to the flooding event.
1.6.3. Mapping of internal flooding events
As stated in sub-section 1.6.2.2 of this sub-chapter the mapping of internal flooding events is performed at the building level.
Regarding the layout of the buildings, the mapping used information presented in Sub-chapter 1.2 “General Description of the unit” and section 7 ”Fire protection systems and equipment” of Sub-chapter 13.2 “Protection against Internal Hazards”.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 30 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
Flood Areas are defined using the following criteria:
• buildings that contain safety-significant components and flood sources, or
• buildings that contain flood sources that could affect a building containing safety-significant components, or
• buildings that contain safety-significant components that could be affected by a flood from another building.
This screening reduces the number of buildings that require analysis. As the mapping is performed at building level, in the first step a building is considered as a flooding area.
Sub-chapter 15.2 - Table 3 summarises the mapping of buildings for the UK EPR Flooding PSA.
1.6.3.1. Flooding in Safeguard Building / Fuel Building
Safeguard Building:
The frequency for a leak in the SEC [ESWS] is estimated as 2.5E-03/year.
This value is based on the frequency of a leak in a salt water system in the turbine building – as given in NUREG/CR-2300 [Ref-1] – reduced by a factor of 2 to account for the considerably shorter length of corresponding piping installed in the safeguard building.
Taking into account protective actions by the operator in the short term, such as tripping of the assigned SEC [ESWS] pump (grace period of about 30 minutes) a probability of 0.1 is conservatively assumed for failure to prevent flooding. Failure of the affected redundant system is assumed only in case of failure of operator action.
(The grace period available for the prevention of spreading to another redundant system, i.e. prevention of a flooding level higher than ±0 m, is considerably longer than 4 hours. In this case the probability of operator failure can be assessed conservatively as 1E-04.)
It follows that the initiation frequency for flooding of one safeguard building with failure of one redundant system is estimated as 2.5E-04 per year.
Fuel Building:
The frequency for a leak in the PTR [FPCS] is estimated as 1E-03 per year. It is assumed that the leak is not isolable. Therefore, the occurrence frequency for the leak represents the initiating event frequency of flooding in one fuel building.
This value is based on the frequency of a leak in a salt water system in the turbine building - as given in NUREG/CR-2300 [Ref-1] – reduced by a factor of 5 to account for the fact that the PTR [FPCS] water is less corrosive than the salt water.
For the flooding analysis, the initiating event frequency evaluated for the fuel building is conservatively added to that for flooding in the safeguard building, because safeguard building 1 is connected to the fuel building 1 (e.g. by a corridor at the lowest building level, by cable routing for power supplies and I&C, and by pipe routing for the cooling water supply). A similar connection exists between safeguard building 4 and fuel building 2. The initiating event frequencies for the separate safeguard buildings 2 and 3 are added to the frequencies of the connected buildings.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 31 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
This leads to a combined initiation frequency - applied to flooding events in the safeguard building/fuel building which result in failure of one redundant train - of 3.0E-03 per year
Flooding of the safeguard building/fuel building potentially affects active components of systems in that safeguard building, i.e. the LHSI and MHSI, ASG [EFWS], EVU [CHRS], the Chilled water system and the RRI [CCWS]. The chilled water system and component cooling water system serve as support systems for other systems in the safeguard building and other buildings e.g.
• the CVCS and PTR [FPCS] in the fuel building;
• the Reactor Coolant Pump: cooling of thermal barrier and motor in the containment,
The event is modelled by event tree IH FL SB1_AB, which represents the sequence of events that follow a partial loss of a cooling chain (see section 5.9 of Sub-chapter 15.1) with additional failures caused by the internal flooding.
The resulting core damage frequency is calculated as 4.07E-09/y (point estimate), contributing 0.6% to the overall CDF.
1.6.3.2. Flooding in the Turbine Building
The frequency of leakages in the main cooling water system (MCWS) is estimated as 3E-02/year.
This value is based on the frequency of a leak in the main cooling water system in the turbine building - as given in NUREG/CR-2300 [Ref-1].
Taking into account short term operator actions such as tripping of the MCWS pumps (grace period about 30 minutes) a probability of 0.1 is conservatively assumed for failure to prevent flooding. Only in case of failure of this operator action are the main systems assumed to be affected.
Consequently the initiating event frequency for flooding events in the turbine building is obtained as 3E-03 per year.
The flooding in the turbine building is assumed to lead to the loss of the main operational equipment located in this building.
It is conservatively assumed that the secondary side systems needed for heat transfer that are located in the turbine building are unavailable due to the flooding event.
The main consequences of the loss of the secondary side heat transfer systems are assumed to be:
• reactor trip (e.g. due to “Loss of Main Heat Sink” or “Loss of normal Feedwater Flow”),
• actuation of the main steam release valves (MSRV),
• actuation of the emergency feedwater system (ASG [EFWS]).
The assumed success criteria correspond to those in an LOMFW transient, except that the Start-up and shutdown system (AAD [SSS]) and the main steam bypass system are assumed unavailable due to the flooding event.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 32 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
The internal flooding in the turbine hall is modelled using event tree IH FL TH_AB. The resulting core damage frequency is calculated to 2.01E-09/y (point estimate), contributing 0.3% to the overall CDF.
The major frequency contribution to CDF is due to flooding of the turbine hall followed by loss of the secondary side heat removal function due to the failure of ASG [EFWS] feed to the SGs and failure of the operator to perform primary feed and bleed.
1.6.4. Results
The point value frequency of core damage (CDF) induced by an internal flooding hazard in at power states is calculated as: 6.1E-09 /ry.
The contributions are as follows:
ID Description
Core Damage
Frequency (/r.y)
Contribution to IH CDF
Contribution to Total CDF
FL SB1_AB Flooding in Safeguard Building 1 / Fuel Building 1 4.07E-09 4.0% 0.6%
FL TH_AB Flooding in Turbine Hall 2.01E-09 2.0% 0.3%
Discussion of internal flooding during plant shutdown
Similarly to the case of fire during plant shutdown there are two opposing effects to be considered with regard to the frequency and consequences of internal flooding during plant shutdowns.
1. Internal flooding during plant shutdown is more probable than in at-power states due to the maintenance / repair work that is performed during plant shutdowns.
2. Internal flooding during plant shutdown will tend to affect the train which is already unavailable due to maintenance. It is considered unlikely that the flooding would induce additional unavailability of components.
In addition, there is a higher probability that internal flooding would be rapidly detected because personnel working on systems and components for testing and maintenance would quickly detect the flooding, and the longer grace periods available during plant shutdown would result in more reliable measures to cope with the flooding (e.g. manual isolation of breaks, manual stopping of pumps).
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 33 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
2. EXTERNAL HAZARDS ANALYSIS
To be included in the PSA scope, an external hazard must be able to impact on plant structures, systems or components and degrade one or more plant safety functions, challenging plant safety systems that act to maintain or bring the plant to a safe state.
The process adopted for the probabilistic analysis of external hazards involves the following steps:
• a screening analysis of the initial external hazard list (which is as exhaustive as possible).
• a probabilistic analysis of the ‘screened in’ external hazards.
2.1. SCREENING ANALYSIS
The identification of potentially relevant external hazards is the first step in the external hazard analysis.
This involves the compilation of a list of potentially relevant external events. The aim is to make the listing as exhaustive as possible.
Initiating events due to intentional mal-operation or sabotage are not considered in the PSA.
The following sources have provided the main inputs in the compilation of the list of external hazards:
• Nuclear Power Station Generic Design Assessment – Guidance to Requesting Parties [Ref-1]
• IAEA Safety Standards 50-P-7 [Ref-2], 50-SG-D5 [Ref-3] and 50-SG-S11A [Ref-4]
• NUREG/CR-5042 [Ref-5]
The methodology applied in the screening analysis involves the following steps:
1. Event description: This is aimed at specifying the type of hazard studied. Grouping the various types of external events is useful for structuring the information presented, making it possible to perform a tentative completeness check of the events identified. The following event grouping is used in this report:
• Meteorological events,
• Man-Made events,
• Geological and Seismotectonic events,
• Biological events,
• Flooding.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 34 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
2. Event information: corresponds to the collection of measurements, analysis of results, and listing of all kinds of information on the external hazard. This step contains the evaluation of the frequency of the external hazard.
3. Design information: The Design and the different levels of defence related to the external hazard are analysed, in order to evaluate how the EPR is protected and if plant safety is challenged.
4. Event consequence: This step involves analysis of the potential consequence of the external hazard on the plant, including direct and indirect impacts.
5. Screening analysis: Based on the analysis results, the external hazard is either retained (screened in) or discounted (screened out). The following criteria are used:
o Screened in: An external hazard is screened in if:
o The consequences of the external hazard could be important (to the plant structures, plant cooling systems etc.) and the hazard frequency is not bounded by an internal event analysis already performed in the Level 1 PSA.
o A detailed analysis is necessary to evaluate the frequency of core damage due to the external hazard.
o Screened out: An external hazard is screened out if:
o There is no expected impact on the plant safety.
o The levels of defence are judged sufficiently effective enough to give a negligible frequency of core damage.
o The frequency of the external hazard is low (1E-05/y)
The results of the screening analysis are presented in Sub-chapter 15.2 - Table 4. The screened in external hazards are the following:
• earthquake,
• aircraft crash,
• extreme weather conditions: extreme snow and strong wind,
• Organic material (algae, fish, etc) and hydrocarbon-based pollution.
2.2. EARTHQUAKE
Earthquake is analysed in Sub-chapter 15.6.
2.3. AIRCRAFT CRASH
The aircraft crash hazard will eventually need to be assessed with regard to UK regulatory requirements and targets using site-specific data. At the current generic design assessment stage the approach is simplified.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 35 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
The aircraft crashes considered in the analysis are accidental crashes only. Malicious acts are not considered.
2.3.1. Aircraft crash rate
The evaluation of a frequency of aircraft crash that is UK generic uses the method in [Ref-1]. That report gives the following frequencies per km2 per year assuming that the UK generic site is located at least 40 km from a high crash concentration zone such as an airport.
• Light civil aircraft: 2.46E-05 km-2/y
• Helicopters: 1.16E-05 km-2/y
• Small transport: 0.12E-05 km-2/y
• Large transport: 0.20E-05 km-2/y
• Military combat and jet trainers: 0.46E-05 km-2/y
The helicopter and light civil aircraft are considered together.
The small and large transport aircraft are considered together.
Crash rates are represented as a Poisson process. The chi-squared distribution is used to provide the mean values at 50% confidence level for the crash rates of the different aircraft categories.
The frequency of aircraft crash depends on the effective target area associated with each building. The effective target area takes account of the aircraft size and wreckage distribution areas as well as the dimensions of the target building itself The target areas used in the probabilistic evaluation consider each building alone without any protection (screening) from the fully hardened buildings such as the reactor building (conservative assumption).
The target areas are defined per building and have been maximised. They are used for the aircraft crash analysis. The bounding effective target areas, assessed from [Ref-2], which are used to evaluate the aircraft crash frequencies, are the following:
a
{CCI Removed}
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 36 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
2.3.2. Impact of aircraft crashes
The following buildings are ‘fully hardened’ – i.e. protected against aircraft crashes:
• Fuel Building
• Reactor Building
• Safeguard Buildings 2 and 3
It is assumed that aircraft crash has no effect on these buildings.
The following buildings are not fully protected against aircraft crashes:
• 1 - 4 Emergency Diesel Generator Buildings / Separation
• 1 and 4 Safeguard Building
• Nuclear Auxiliary Building
• Effluent Treatment Building
• Pumping station
Therefore, a probabilistic analysis is performed to estimate the frequency of core damage due to accidental aircraft crash on these buildings.
APC impact targets are defined as those buildings, which are not protected against aircraft crash and which are structures that contain equipment which contributes to the following safety functions:
• reactor shutdown and removal of residual heat,
• storage of spent fuel,
• treatment and containment of radioactive waste.
All systems and equipment located in the affected building are assumed to be lost.
2.3.3. Emergency Diesel Generator Buildings 1 – 4
Event information
In case of aircraft crash on Emergency Diesel Generator Building 1, physical separation ensures that the impact will not affect the second diesel generator building. All systems and equipment inside the affected building are assumed to be lost i.e. two emergency diesel generators (EDGs) and one station blackout (SBO) diesel generator. No other systems are assumed to be lost. Due to the physical separation of the emergency diesel generator building from the rest of the plant, there is no risk of direct core damage due to the aircraft crash.
Nevertheless, the risk due to a Loss of Off-site Power (LOOP) at the time of the impact needs to be considered.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 37 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
In the probabilistic analysis the EDG 3 and EDG 4 and SBO 4 are assumed to be lost. Preventive maintenance in an EDG located in the unaffected building is considered in the probabilistic analysis (EDG 2).
Event frequency
The frequency of aircraft crash in which a long LOOP (1E-03/y) event also occurs is evaluated as a considering the occurrence of a long LOOP event is independent of aircraft crash.
Event consequence
The frequency of core damage is assessed to be very low. Even with EDG 2 considered unavailable due to preventive maintenance, the core damage frequency is negligible (2E-12/ry).
2.3.4. Safeguard Buildings 1 and 4
Event information
In the case of an aircraft crash on safeguard building 1, physical separation ensures that impact damage to safeguard building 4 is avoided.
Event Frequency
The frequency of an aircraft crash on one or other of safeguard buildings 1 and 4 is evaluated as a (i.e. double the frequency of a crash on one or other safeguard building as evaluated in sub-section 2.3.1 of this sub-chapter).
Event consequence
The frequency of core damage due to the loss of safeguard building 1 is evaluated in the internal fire analysis as 7.5E-08/r.y, based on a fire frequency of 5.5E-02/y. Therefore, the frequency of core damage due to aircraft crash on safeguard building 1 or 4 is assessed to be extremely low, relative to that due to fire, and hence is judged to be negligible.
2.3.5. Nuclear Auxiliary Building
Event information
The main consequence for the reactor core of an aircraft crash on the nuclear auxiliary building is a potential system interface LOCA (V-LOCA), due to the rupture of part of the RCV [CVCS] seal injection line crossing the Nuclear Auxiliary Building.
All the isolation components designed to prevent containment bypass are located inside the reactor building and are therefore not affected by the crash.
Event Frequency
The frequency of aircraft crash on the Nuclear Auxiliary Building is evaluated as a.
Event consequence
The length of the seal injection line crossing the Nuclear Auxiliary Building is 96 m.
{CCI}
{CCI}
{CCI}
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 38 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
The V-LOCA analysis [Ref-1] considers the whole seal injection line length (189 m) and a part of the charging line. The frequency of a rupture or a leakage on those lines is evaluated as a. In that case the frequency of V-LOCA is evaluated as a.
In conclusion, the frequency of V-LOCA due to the aircraft crash on the Nuclear Auxiliary Building a is much lower than that due to internal failures considered in the V-LOCA analysis in the level 1 PSA (see section 5.2 of Sub-chapter 15.1) and hence is judged to be negligible.
Hence the risk of core damage due to aircraft crash on the Nuclear Auxiliary Building is considered negligible.
2.3.6. Effluent Treatment Building
No risk of core damage is expected in the case of an aircraft crash on the Effluent Treatment Building. However, a crash on the Effluent Treatment Building could lead to other radioactive product releases. This risk is analysed in Sub-chapter 15.5.
2.3.7. Circulating Water Pump House (Pumping Station)
In case of aircraft crash on the Circulating Water Pump House, no safety functions would be totally lost due to large dimensions of the building. At most, a larger aircraft crash could induce the loss of 2 SEC/RRI [ESWS/CCWS] trains and 1 SEN/SRI train.
This event is covered by the loss of cooling chain event considered in the level 1 PSA in section 5.9 of Sub-chapter 15.1.
2.3.8. Conclusions
The core damage frequency due to aircraft crashes is judged to be insignificant compared with the CDF calculated in the level 1 PSA due to internal failures.
2.4. EXTREME WEATHER CONDITIONS
A screening analysis of the extreme weather conditions is presented in Sub-chapter 15.2 – Table 4. Only one event is identified as requiring analysis, which is a combination of strong wind and extreme snow.
Strong Wind and Extreme Snow
This multiple failure sequence involves a strong wind affecting the external power supply (main grid and auxiliary grids) and snow affecting plant ventilation systems (air intake of the diesels).
It is reasonable to assume that the plant is in power operation, because scheduled outages (refuelling) do not normally take place during winter months and the grace period for loss of power during shutdown is much longer than after reactor trip. The two diesel buildings are separated by the reactor building and the safeguard buildings. Therefore, it is reasonable to assume that for a given wind direction only the air intake of one diesel building could be affected, the accumulation of snow banks at the other building being prevented by the protective effect of the reactor/safeguard buildings.
{CCI}
{CCI}
{CCI}
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 39 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
The consequences of this multiple event sequence are:
• loss of main grid and auxiliary grid
• loss of both emergency diesels and SBO diesel in one diesel building due to blockage of the air intake by snow.
Event frequency
The event frequency is given by the frequency of strong wind inducing LOOP multiplied by the conditional probability of extreme snow fall leading to blockage of multiple air intakes in one of the two diesel buildings due to the combined effect of wind and snow.
• The frequency of strong wind inducing LOOP is bounded by the long LOOP frequency assumed in the UK EPR PSA (1E-03/r.y.) which accounts for climatic causes in the vicinity of the plant. It is assumed in the analysis that 10% of this event, i.e. 1E-04/r.y., is due to strong wind.
• The conditional probability of extreme snowfall leading to blockage of multiple air intakes in one of the two diesel buildings due to combined effect of wind and snow is judged to be low due to the design measures detailed in Sub-chapter 13.1 section 6. The conditional probability is claimed to be below 5E-03.
The frequency of the multiple event (strong wind and extreme snowfall inducing LOOP and multiple air intakes blockage in one of the two diesel buildings) is therefore 5E-07/r.y.
It is useful to note that the assessment of extreme weather condition frequencies is highly site-dependent. Nevertheless, the frequency assessed above, which is mainly based on the consideration of the diesel building design, is judged relevant in the case of a generic approach.
Event consequence
The probabilistic analysis is performed using the long LOOP event tree LOOPL_AB considered in the internal event analysis (see section 5.7 of Sub-chapter 15.1) but with the EDG 3 and 4 and the SBO diesel 4 unavailable. Preventive maintenance on EDG 2 is considered in the analysis.
The frequency of core damage due to strong wind and extreme snow is evaluated as 1.1E-09/r.y.
The frequency of core damage due to the external hazard “Strong Wind and Extreme Snow” is low relative to that from internal failures and is therefore neglected.
2.5. BIOLOGICAL CLOGGING OF WATER INTAKES
The risk to be considered is the clogging of the water intakes due to a massive arrival of marine bodies resulting in loss of the Ultimate Heat Sink (LUHS).
The marine bodies may be algae, seaweed, fish, mussels, jellyfish or debris such as ship’s waste, wreckage, plastic sheeting etc.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 40 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
Event information
The frequency of the event is taken as 1 per year (see Chapter 2).
Design information
The operating principles of the safety classified water intake and filtering systems, SRU [UCWS] and SEC [ESWS] are described in Chapter 9.
Event consequence
The consequence of the clogging is a potential for a Loss of Ultimate Heat Sink (LUHS).
Event Frequency
The frequency of a massive arrival of marine bodies is assumed to be about 1 per year [Ref-1].
The consequences and risks of this event will be considered in section 3 of this sub-chapter.
3. LOSS OF ULTIMATE HEAT SINK – LUHS
Frequency assessment
After clogging of the filters, alarms are actuated in the main control room which trigger a number of operations that help to prevent the total loss of the water intakes. In particular, the circuit connections would be configured so that the SEC [ESWS] can still be supplied despite the loss of one or more water intakes.
In the Level 1 PSA the LUHS frequency is assumed to be a.
Note that this value may be dependent on the final design of the pumping station, which is site-dependent. The value used is taken from the Flamanville 3 PSA and is considered to be representative given that the same design requirements are likely be applied to a UK EPR.
As shown in Sub-chapter 15.2 - Table 4 “Screening analysis”, the LUHS frequency takes into account contributions from the following causes:
• Biological clogging of the water intake (algae, seaweed, fish, mussels, jellyfish etc), see sub-section 2.5 of this sub-chapter
• Frazil ice,
• Others causes having a low frequency (see Sub-chapter 15.2 - Table 4),
• Intrinsic failures of the water intake (loss of filtering chains and drums etc.). According to EPR pumping station reliability analysis [Ref-1] the intrinsic failures contribute to 15% of the overall LUHS frequency. Note: Such an event has never been observed in nuclear power plant around the world. Consequently, a χ² approach could be an alternative to the one presented above.
All reactor states (A&B, CA, CB, and D) are considered in the probabilistic analysis.
{CCI}
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 41 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
The LUHS event considered in the Level 1 PSA involves the following failures:
• Loss of the water circulation system (CRF) suction leading to the failure of the Main Steam Bypass (GCT [MSB]).
• Loss of RRI/SEC [CCWS/ESWS]. This leads to:
o Loss of thermal barriers and loss of RCV [CVCS] pump cooling (no seal injection and potential risk of seal LOCA),
o Loss of all MHSI pumps and LHSI pumps 2 and 3.
o Loss of the RIS/RRA [SIS/RHRS] heat exchangers.
• Loss of the SRI raw water cooling (SEN) leading to loss of the component cooling - conventional systems (SRI). This leads to:
o Loss of MFW pump cooling
o Loss of AAD [SSS] pump cooling
In accordance with the method applied in the Level 1 PSA, the system mission time considered is 24 hours. A sensitivity analysis on this parameter, to analyse the potential consequences of long term LUHS, is presented in Sub-chapter 15.7.
Accident mitigation
The LUHS event is similar to a total loss of cooling chain RRI/SEC [CCWS/ESWS] event addressed in section 5.9 of Sub-chapter 15.1 except that the secondary side systems (ARE [MFW], GCT [MSB], AAD [SSS]) are assumed unavailable due to the initiating event.
Power States A and B – LUHS_AB
Given the loss of the ultimate heat sink, the turbine is tripped due to the loss of the condenser. The loss of the normal secondary side heat removal leads to a reactor trip. As the thermal barriers (RRI [CCWS]) and the seal injection (RCV [CVCS]) are lost due to the initiating event, the Reactor Coolant Pumps are automatically tripped. If the automatic Reactor Coolant Pump trip fails there is a risk of a seal LOCA.
Without seal LOCA, residual heat removal is effected by the opening of 1 VDA [MSRT] train on a “high steam generator pressure” signal and by the start-up of one ASG [EFWS] pump on a “low steam generator level” signal. The operators cross-connect the ASG [EFWS] tanks and provide a water supply in order to assure the long term cooling. In case of failure of this safety function it is not possible to actuate “Feed and Bleed” operation due to the unavailability of the MHSI pumps and core damage is postulated.
With seal LOCA, the operator should rapidly depressurise the primary circuit in order to reach the LHSI injection pressure while maintaining the RCP [RCS] inventory. Fast depressurisation is performed with two ASG [EFWS] trains and two VDA [MSRT] trains. The RCP [RCS] inventory is maintained by injection from two accumulators and one LHSI train. Long term cooling is ensured via secondary side heat removal (ASG [EFWS] and VDA [MSRT]). IRWST cooling is ensured by the Ultimate Cooling Water System.
The core damage frequency in case of LUHS during power states A and B is evaluated as 7.4E-08/ry.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 42 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
The following table lists the main accident sequences arising from LUHS during power operation. They represent about 88% of the frequency of the core damage due to LUHS in at-power states.
Initiating event Brief description of the accident sequences
Frequency (per reactor
per year)
LUHS_AB Given the LUHS, a seal LOCA occurs and the operator fails to actuate the fast secondary cool-down before 30 minutes 4.6E-08
LUHS_AB
Given the LUHS, the residual heat removal function fails because of the failure of the operator to cross-connect ASG [EFWS] tanks or to assure the water supply of the tanks (delay > 4 hours).
1.2E-08
LUHS_AB Given the LUHS, the residual heat removal function by secondary side fails. 7.4E-09
The risk is dominated by the failure of the ASG [EFWS] trains to provide the residual heat removal safety function. This is due to the fact that no primary RHR is possible (RIS/RRA [SIS/RHRS] trains or Feed and Bleed) due to the initiating event.
Failure of the operator is an important contributor to failure of long term cooling via the ASG [EFWS] or using fast secondary cool-down actuation in case of seal LOCA.
Shutdown States CA and CB and D
Unlike the scenario for power states, the behaviour of the reactor coolant pump seals is not an issue because the seals are able to resist the pressure and temperature in cold shutdown states in event of thermal barrier and seal injection failure.
LUHS events in state CA, CB and D are similar to the total loss of cooling chain events (LOCC7_CA, LOCC7_CB and LOCC7_D events) studied in section 5.9 of Sub-chapter 15.1. The difference is due to the initiating event frequency.
The core damage frequencies for the case of LUHS in shutdown states CA, CB is evaluated as:
• State CA - LUHS_CA = 1.4E-11/r.y
• State CB - LUHS_CB = 6.3E-13/r.y
• State D - LUHS_D = 1.6E-09/r.y
The following table lists the main accident sequences arising from LUHS during power operation. They represent almost 100% of the frequency of core damage due to LUHS in shutdown states.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 43 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
Initiating event
Brief description of the accident sequences Frequency (per reactor
per year)
LUHS_D The initiating event is followed by the failure of the operator to start the LHSI pumps provided with diverse cooling from the Main Control Room within 2 hours.
1.3E-09
LUHS_D
The initiating event is followed by a common cause failure of the support system cooling LHSI pumps provided with diverse cooling (safety chilled water system DEL) or by a common cause failure of LHSI pumps or LHSI valves..
2.5E-10
The risk is seen to be dominated by failure of the operator to start LHSI trains 1 and 4 that are independent of the RRI/SEC [CCWS/ESWS] cooling chain, within 2 hours.
Conclusions
The frequency of core damage due to a loss of ultimate heat sink in the different reactor states is 7.6E08/r.y.
The relative contribution of each LUHS initiating events is given below:
Initiating Event IE frequency (/y) CDF (/ry) LUHS AB {CCI}a 7.4E-08 LUHS CA {CCI}a 1.4E-11 LUHS CB {CCI}a 6.3E-13 LUHS D {CCI}a 1.6E-09
The partition of the frequency between power and shutdown is 98% for the power states (A and B) and 2% for shutdown states (CA, CB and D).
The following figure presents the contribution of the different reactor states:
State A98%
State Ca0%
State D2%
State Cb0%
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 44 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
The contribution to core damage frequency from LUHS mainly arises from power operation when the residual power is the highest. The safety function “residual heat removal” is challenged due to the loss of the secondary side (no ARE [MFW] and no AAD [SSS]) and due to the loss of MHSI avoiding the Feed and Bleed operations. The main risk is due to failure of the ASG [EFWS] due to mechanical failure or failure of the operator to cross-connect the ASG [EFWS] tanks to make use of the whole ASG [EFWS] water inventory in order to assure an adequate water supply or failure of the operator to initiate a fast secondary cooldown after a seal LOCA occurrence.
In shutdown state D, the vessel head has been removed and the primary water inventory is conservatively considered to be low (3/4-loop). The safety function “RCP [RCS] inventory control” is challenged in case of an LUHS event due to the steaming of the primary water. The main risk is due to failure of the operator to actuate the LHSI trains independently of the RRI/SEC [CCWS/ESWS].
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 45 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
SUB-CHAPTER 15.2 - TABLE 1
Component Failure Modes
Type of Components Primary fire-
induced failure mode
Spurious actuation
considered
Passive components: pipes, tanks, heat exchangers, vessels etc
Not affected No
Pumps Inoperable No
Check Valves Not affected No
Manual Valves As is No
Motor Operated Valves As is Yes
Safety Valves Not affected No
Solenoid Operated Valves Inoperable Yes
Cables Inoperable (open circuit) Yes
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 46 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
SUB-CHAPTER 15.2 - TABLE 2
Mapping of Building for Fire Analysis
Building Relevant Components in the building Mapping
Containment
SADVs, PSRVs, Reactor Coolant Pumps incl. Reactor Coolant Pump leak-off valves and Stand-Still Seal System.
Valves of reactor system boundary.
Containment isolation valves.
SG isolation valves.
Safety related I&C (Sensors and transmitters).
Screen in;
Safety relevant components may be affected by the fire,
Fire could cause automatic/manual plant trip
Annulus
Safety-related cables for all 4 divisions.
Junction boxes.
Screen in;
Safety relevant components may be affected by the fire,
Fire could cause automatic/manual plant trip
Safeguard building 1-4 Mechanical area
Div 1-4:
Component cooling water system pumps, valves and heat exchangers,
Safety injection system pumps (LHSI, MHSI) pumps, valves and heat exchangers.
ASG [EFWS] pumps and valves,
Div 1 and 4:
Containment heat removal system pumps and valves incl. dedicated cooling chain.
Screen in;
Safety relevant components may be affected by the fire,
Fire could cause automatic/manual plant trip
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 47 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
Building Relevant Components in the building Mapping
Electrical and I&C area Cable Floor/ Battery Room / I&C Room /
Normal / emergency power MV/LV Distribution of NI, Uninterruptible power supply (UPS) incl. Batteries DC distribution
Electrical cabinets
Safety I&C cabinets
Main Steam and Feedwater valve compartments 1-4
Feedwater isolation valves,
Main steam isolation valves
Main Steam Relief valves,
Main Steam Safety Valves
Screen in;
Safety relevant components may be affected by the fire,
Fire could cause automatic/manual plant trip
Fuel Building Division 1-4
Fuel Pool Cooling Pumps and valves,
Extra Borating system pumps and valves
Chemical Volume and control system pumps and valves,
Boric acid system pumps and valves
Screen in;
Safety relevant components may be affected by the fire,
Fire could cause automatic/manual plant trip
Main Control Room / Cable Spreading Room for MCR
PICS/SICS workstations Cables for all 4 divisions
Screen in;
Fire could cause automatic/manual plant trip
RSS / Cable Floor for RSS
PICS/SICS workstations Cables for all 4 divisions
Screened out,
RSS in stand-by during normal plant operation.
No immediate plant shutdown required
Nuclear Auxiliary building and radioactive waste building
Non safety relevant systems (valves and pumps)
Normal LV distribution
Screened out, in case of a fire
No safety related systems affected,
No immediate plant shutdown required
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 48 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
Building Relevant Components in the building Mapping
Diesel Generator buildings 1-4
Emergency Diesel Generators (1-4)
SBO Diesel Generators (1 and 4)
LV Distribution
Screened out,
Diesel buildings separated in 4 fire compartments (1 per division)
Diesel generators in stand-by during normal plant operation.
No immediate plant trip/shutdown (which may cause a consequential LOOP and the start of the Diesel generators) required.
Service Water Pump Building 1-4
Essential service water pumps and valves (1-4),
Essential Service water pumps and valves for EVU [CHRS] 1 and 4)
Screen in;
Safety relevant components may be affected by the fire,
Fire could cause automatic/manual plant trip
Main cooling water pump building
Main cooling water pumps
Auxiliary cooling water pumps
Screen in;
Fire could cause automatic/manual plant trip
Switchgear building of TI
Normal power MV/LV Distribution of NI and TI,
Uninterruptible power supply (UPS) of
TI incl. Batteries
TI I&C cabinets
Screen in;
Fire could cause automatic/manual plant trip
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 49 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
Building Relevant Components in the building Mapping
Turbine Building
Turbine and generator unit
Main steam bypass valves
Pumps and valves of:
Main condensate system,
Main feedwater system
Start up and shutdown system
Closed cooling water
Demineralised water system
etc
Screen in;
Fire could cause automatic/manual plant trip
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 50 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
SUB-CHAPTER 15.2 - TABLE 3
Mapping of Building for Flooding Analysis
Building Relevant Components in the building
Mapping
Containment
SADVs, PSRVs, Reactor Coolant Pumps incl. Reactor Coolant Pump leak-off valves and Stand-Still Seal System.
Valves of reactor system boundary
Containment isolation valves
Safety related I&C (Sensors and transmitters)
Screened out due to design provisions
(Location of the considered equipment above maximum flooding level to be expected in case of LOCA)
Safeguard building 1-4
Mechanical area
Div 1-4:
Component cooling water system pumps, valves and heat exchangers,
Safety injection system pumps (LHSI, MHSI) pumps, valves and heat exchangers
ASG [EFWS] pumps and valves,
Div 1 and 4:
Containment heat removal system pumps and valves incl. dedicated cooling chain
Evaluation of the impact by loss of all safety equipment of redundancy 1 (SB1) - including the CVCS pump located in Fuel Building 1 - due to leakage at the assigned SEC [ESWS] pipe.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 51 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
Building Relevant Components in the building
Mapping
Electrical and I&C area Cable Floor/ Battery Room / I&C Room /
Normal / emergency power AC MV/LV Distribution of NI, Uninterruptible power supply (UPS) incl. Batteries DC distribution
Electrical cabinets
Safety I&C cabinets
Note:
There is no impact on another SB due to the consistent divisional separation of the SB.
For the evaluation of the initiator frequency, the frequency of the PTR [FPCS] break in the Fuel Building is added to the frequency of a SEC [ESWS] pipe break in the safeguard building.
Flooding could cause automatic/manual plant trip
Main Steam and Feedwater valve compartments 1-4
Feedwater isolation valves,
Main steam isolation valves
Main Steam Relief valves,
Main Steam Safety Valves
Safety relevant components may be affected and flooding could cause automatic/manual plant trip
Screened out due to design provisions
• Physical and geographical separation of the redundancies 1 to 4 restricts the impact to the affected redundancy;
• the loss of one redundancy is considered to be covered by the initiating event analysis of secondary side breaks
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 52 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
Building Relevant Components in the building
Mapping
Fuel Building Division 1-4
Fuel Pool Cooling Pumps and valves,
Extra Borating system pumps and valves
Chemical Volume and control system pumps and valves,
Boric acid system pumps and valves
Screen in;
Safety relevant components may be affected,
Flooding could cause automatic/manual plant trip
Evaluation of the impact on core damage due to non-isolable leakage of one PTR [FPCS]-train.
Note:
This evaluation is performed together with the assigned SB by adding both initiator frequencies.
There is no impact on the other Fuel Building part due to the divisional separation of the both parts.
Main Control Room / Cable Spreading Room for MCR
PICS/SICS workstations Cables for all 4 divisions
Screened out: No relevant flooding source expected. Potentially released water will flow downwards via the staircases
RSS / Cable Floor for RSS
PICS/SICS workstations Cables for all 4 divisions
Screened out: No relevant flooding source expected. Potentially released water will flow downwards via the staircases
Nuclear Auxiliary building and radioactive waste building
Non safety relevant systems (valves and pumps)
Normal LV distribution
Screened out:
No safety related systems affected,
No immediate plant shutdown required
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 53 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
Building Relevant Components in the building
Mapping
Diesel Generator buildings 1-4
Emergency Diesel Generators (1-4)
SBO Diesel Generators (1 and 4)
LV Distribution
Screened out,
• Physical and partly geographical separation of the redundancies 1 to 4 resp. 5 and 8 restricts the impact to the affected redundancy;
• Diesel generators in stand-by during normal plant operation.
No immediate plant trip/shutdown (which may cause a consequential LOOP and the start of the Diesel generators) required.
Service Water Pump Building 1-4
Essential service water pumps and valves (1-4),
Essential Service water pumps and valves for EVU [CHRS] 1 and 4)
Screened out due to design provisions
• Physical and geographical separation of the redundancies 1 to 4 resp. 5 and 8 restricts the impact to the affected redundancy;
• the loss of one redundancy is considered by the analysis of LOCC events
Main cooling water pump building
Main cooling water pumps
Auxiliary cooling water pumps
The main cooling water pumps and the main cooling water pumps are affected by the flooding.
This event is covered by the modelling of the initiating event Loss of condenser frequency of which is more than 1 order of magnitude higher than the flooding in the main cooling water pump buildings is expected.
Switchgear building of TI
Normal power MV/LV Distribution of NI and TI, Uninterruptible power supply (UPS) of TI incl. Batteries TI I&C cabinets
Screened out: No relevant flooding source expected. Any potential effects are assumed to be covered by the analysis of a fire in the switchgear building of TI
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 54 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
Building Relevant Components in the building
Mapping
Turbine Building
Turbine and generator unit
Main steam bypass valves
Pumps and valves of:
• Main condensate system,
• Main feedwater system,
• Start up and shutdown system,
• Closed cooling water,
• Demineralised water system,
• Etc.
Screen in;
Flooding could cause automatic/manual plant trip
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 55 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
SUB-CHAPTER 15.2 - TABLE 4
Screening Analysis of External Hazards
EXTERNAL HAZARDS SCREENING ANALYSES
METEOROLOGICAL EVENTS
ME 01
Strong Winds
Event Description
The event is defined as damage to the plant due to strong winds. It includes both direct damage from wind pressure and indirect damage due to wind-carried missiles. The main characteristics are the wind speed and the wind direction. Two wind speeds must be considered, i.e. mean speed and gust speed.
The event does not include tornado due to the unique characteristics of this event. Therefore, tornadoes are assessed separately – see below.
Event Information
See Chapter 2
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 56 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Strong Winds
Design information
A number of buildings have been designed for extreme structural loads (earthquake, aircraft crash and explosion pressure load - see Chapter 13). These buildings will also sustain extreme wind loads.
Structures housing systems and equipment to bring the plant to and maintain it in Safe Shutdown or for protection against unacceptable release of radioactivity from stored fuel and radioactive waste, are designed to withstand loadings based on the extreme wind speed. The same applies to safety equipment, which is directly exposed to the wind. The design wind speeds are selected based on the site meteorological characteristics. The design wind speed for the UK EPR will be based in a 1 in 10,000 year return frequency as required in the SAPs with a safety margin to avoid cliff edge effects.
Impacts from winds and extreme wind speed etc. are also considered in design of ventilation systems.
Structures designed for extreme wind speed are designed to withstand wind-generated missiles.
Event consequence
According to US data [Ref-1] external events involving strong winds are responsible for about 20% of the total LOOP events, mainly due to storm, snow/ice storm, salt storm, tornado and hurricane.
Loss of off-site power (LOOP) is assumed to be the most probable consequence of strong winds. The cause may be direct structural damage due to wind pressure to the components in the external grid or plant switchyard, or indirect damage due to missile effects (e.g. due to unfastening of building facing plates).
Screened in
Screened out
In conclusion, LOOP events due to strong wind are judged to be bounded by the analysis of LOOP in the internal events PSA. The frequency of extreme winds is much lower than the frequency of the modelled LOOP events, and the consequence of the single event is not worse than for the modelled events.
In conclusion, it is judged, that the event is not relevant as a single event, but should be studied as multiple events “Strong Wind and Extreme snow”.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 57 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Tornado
ME 02
Event Description
The event is defined as damage to the plant due to tornadoes. The event is separated from other strong winds due to its special characteristics both with respect to duration, wind speed, and frequency of occurrence.
Event Information (TORRO)
See Chapter 2 for general information about tornadoes in the UK.
It is stated that the approximate frequency of being hit by a tornado in England and Wales is 3.3E-05/y.
Design information
All safety critical buildings which have been designed for extreme structural loads (earthquake, aircraft crash and explosion pressure load) are assumed to withstand the wind loads from a tornado. The following buildings are protected against explosion pressure wave:
• 1-4 Emergency Diesel Generator Buildings
• Fuel Building
• Reactor Building
• 1-4 Safeguard Building
• Circulating Water Pump House
• 1-4 Essential Water Pump Buildings
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 58 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Tornado
Event consequence
No impact on the safety related equipments which are located in the “aircraft shell”, and credit can still be taken from geographical separation (for the diesel buildings for instance). The consequence on the off-site power supply is separately taken into account in the LOOP frequency.
The impact on the Nuclear Auxiliary Building and on the Effluent Treatment Building could lead to some damage, but given the limited width of a tornado it is considered that the potential releases would be of very low magnitude.
Screened in
Screened out The event has a low frequency of occurrence and the potential radioactive releases would be very low.
High air temperature
ME 03
Event Description
The event is defined as plant impact due to high air temperature. Plant impact due to high water temperature is treated separately.
Event Information (MetOffice)
See Chapter 2 which gives general figures concerning the UK.
For the generic UK coastal site it states that the frequencies of exceeding 36°C as 12 hours average and 42°C as instantaneous in air temperature are lower than 1E-04/y.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 59 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
High air temperature
ME 03
Design information
The following tables give the design air temperatures with relative humidity (RH) (see Chapter 13)
12 hour average design value
Under standard seaside (cold)
Tair max day = 36°C
RH = 40%
Instantaneous design value
Under standard seaside (cold)
Tair max inst = 42°C
RH = 29%
Event consequence
The high air temperature could have an impact on the plant cooling systems.
Screened in
Screened out
The frequency of exceeding the design temperatures is low (1E-04/y).
If temperatures higher than the design values were reached, a number of actions would be taken among which preventive actions aiming at enabling to operate in a safe state even with these very high temperatures (for instance provisions will be taken in the Technical Specifications).
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 60 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Low air temperature
ME 04
Event description
The event is defined as plant impact due to low air temperature.
Event information (MetOffice)
See Chapter 2 which gives general information about very low temperatures in the UK. For the generic UK coastal site it states that the frequencies of experiencing a temperature below -15°C for more than 7 days, a temperature of -25°C for between 6 hours to 7 days or a temperature of -35°C for less than 6 hours, accounting for climate change, is below 1E-05/y.
Design information
The following minimum values are considered for the design of standard buildings (100% relative humidity for all cases is considered):
• Long-term base: -15°C for >7days (with a 4 m/s constant wind).
• Short-term base: -25°C for 6 hours to 7 days.
• Instantaneous: -35°C for 6 hours or less.
Event consequence
The consequence on sea water temperature is analysed in the external hazards low sea water temperature, frazil, sea ice etc.
Screened in
Screened out Screened out on the basis of the very low probability of getting off the design range.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 61 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
High sea water temperature
ME 05
Event description
The event is defined as plant impact due to high water temperature.
Event information
No specific data needed. The sea water temperature in UK is generally low.
Design information
Water temperature is continuously measured at the cooling water intakes. The maximum essential service water temperatures assumed for the design of UK EPR are:
• 26°C for normal operation (PCC-1) and for operating conditions with multiples failures (RRC-A and RRC-B);
• 30°C for reference transients, incidents and accidents (PCC-2, PCC-3 and PCC-4).
Event consequence
Any plant effects from high water temperatures will be gradual. The potential impact is on plant cooling leading to the plant shutdown or the gradual loss of ultimate heat sink.
The generic UK coastal site is considered to be characterised by frequencies of exceeding these values lower than 10-4, accounting for climate change (see Sub-chapter 2.1).
Screened in
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 62 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Screened out
It is considered that the frequency of such sea water temperature is much lower than the frequency of arrival of marine bodies (1/y) considered in the LUHS event.
Therefore, it is judged that high sea water temperatures are not a threat to the plant. Furthermore, any plant effects will be gradual. If any counter-measures are required, there will be time to plan and to implement them. The warning time may also be used for a preventive shut-down of the plant, as the plant will be less vulnerable after a shut-down for this event.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 63 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Low sea water temperature
ME 06
Event Description
The event is defined as plant impact due to low water temperature. Plant impact due to low air temperature or ice impact are treated separately.
Event information
No specific data needed
Design information
Water temperature is continuously measured at the cooling water intakes. Any plant effects from high water temperatures will be gradual.
The minimal seawater temperature considered in the design for the inlet water (cold sea) is -0.5°C.
Event consequence
Probably the most important related event is Frazil ice (treated separately), which requires water temperatures below zero as one of its preconditions.
Screened in
Screened out As all effects on the ultimate heat sink are covered by other initiating events, the event is screened out from further analysis. Furthermore, any plant effects from low water temperatures will be gradual. If any counter-measures are required, there will be time to plan and to implement them.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 64 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Surface ice
ME 07
Event Description
The event is defined as plant impact due to thick surface ice.
Event information
No site data needed.
Design information
The relating design is strongly site-dependent.
Event consequence
The plant impact can be the loss of the ultimate heat sink.
Screened in
Screened out For the current analysis it is considered that the design margin will enable thick surface ice to be accommodated so that the frequency of loss of heat sink due to this phenomenon would be extremely low.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 65 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Frazil ice
ME 08
Event description
The event is defined as plant impact due to formation of frazil ice in the cooling water intake.
Frazil ice may form in case of strong wind in connection with below zero temperature and open water. Under these conditions the water temperature may be around 0 °C. Ice crystals are formed in the water and carried by turbulence to several meters below the surface, in case of half-gale down to a depth of 10 meters. The crystals form lumps and may stick to below-water structures. In this way, a thick ice coating may form on the intake strainers. There is a risk of frazil ice in the interval -0.5 °C to -1.0 °C.
Event information
No specific data needed.
Design information
The clogging of the water intake filters can be detected by pressure measurements upstream and downstream the filters. The availability of the water intake during abnormal low temperature which could lead to frazil phenomena will be controlled with special attention by the operator.
The final design is strongly site-dependent, but as for the Flamanville plant there should be a diversified source of water, namely in the cooling water outlet reservoir.
Event consequence
Loss of Ultimate Heat Sink.
Screened in The frequency of LUHS due to frazil ice is considered in the probabilistic analysis of LUHS (see section 3 of this sub-chapter).
Screened out
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 66 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Extreme rain
ME 09
Event description
The event is defined as damage to the plant due to extreme rain. It includes both damage from rain load on structures and damage due to rain induced flooding.
Event information (MetOffice)
No data necessary for the current analysis.
Design information
The design of the protection against extreme rain is described in Chapter 13.
The associated design is strongly site-dependent.
Event consequence
The risk due to extreme rain is the external flooding of the plant.
Screened in
Screened out The design requirements are such that the risk due to extreme rainfall can be disregarded in the framework of the GDA.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 67 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Extreme snow
ME 10
Event description
The event is defined as damage to the plant due to extreme snow, including snow storms. It includes direct damage from snow load on structures and snow clogging of ventilation openings. It also includes the indirect impact of a prolonged plant isolation.
The potential damage from snow differs considerably depending on the characteristics of the snow; wet snow gives the worst structural damage (e.g. to power transmission systems). Snow storms are included in order to include clogging of ventilation openings.
Event information (MetOffice)
See Chapter 2 where general information is given.
Design information
Different impacts of snow falls are considered in the analysis:
• Damage of structure and exposed components due to extreme snow loads,
• Snow effects on HVAC systems,
• Loss of off-site power.
All the buildings are designed to resist the effect of snow according to Eurocodes.
All buildings, safety classified or not safety classified, are designed to withstand snow fall effects. More over, the safety classified buildings are designed against the aircraft crash, seism, and external explosions which assure a sufficient additional protection against extreme snow falls.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 68 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Extreme snow
ME 10
Event consequence
Loss of off-site power (LOOP): taken into account in the LOOP frequencies (see Sub-chapter 15.1 where LOOP initiating events are accounted for). Damage to non safety classified buildings in case of snow loads well above the design criteria.
Screened in
Screened out All safety critical buildings and structures in the plant are expected to be designed against extreme snow loads and this event is judged not relevant as a single event. The effect of snow is studied in the multiple external hazard “Strong wind and extreme snow” (see section 2 of this sub-chapter). For the other building, the frequency of snow loads well above the design criteria is very low, and the potential consequences would be low in terms of radioactive releases.
Extreme hail
ME 11
Event description
The event is defined as damage to the plant due to extreme hail. It includes damage from hail load on structures. Flooding effects due to melting of hail are not included, as they are bounded by flooding effects from extreme rain.
Event information
No specific data needed.
Design information
Due to design provisions no damage are expected from extreme hail on the plant.
Screened in
Screened out Any possible effects on the ultimate heat sink are judged to be bounded by ice events (frazil ice, sea ice etc).
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 69 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Soil frost
ME 12
Event description
The event is defined as impact on the plant from soil frost.
Event information
No specific information needed.
Design information
Design based on Eurocodes, and very large margins for most of the plant buildings.
Event consequence
No consequence is expected from soil frost which could challenge the plant safety.
Screened in
Screened out The plant is judged to be adequately protected against effects from soil frost.
Humidity – Mist
ME 13
Event description
The event is defined as impact on the plant from mist.
Event information
No specific information needed.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 70 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Humidity – Mist
ME 13
Design information
No specific information needed.
Event consequence
There is no direct impact, and the only indirect impact imaginable is through increase of the frequency of certain man-made hazards involving ships, surface vehicles or aircraft.
Screened in
Screened out No direct impact expected on the plant
Drought
ME 14
Event Description
The event is defined as an extended drought period that lowers the water level of lakes, rivers and open water basins. For seashore plant it takes into account the meteorological phenomena leading to very low sea level combined with very low tides.
Event information
No specific information needed in the framework of the GDA.
Design information
The pumping station and other related system designs are strongly site-dependent. The design requirements are such that a Lowest Safety Water Level (LSWL) is defined according to criteria which assure that the frequency of getting water levels below the LSWL is lower than 1E-05/y (see Chapter 13).
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 71 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Drought
ME 14
Event consequence
For the coastal site the consequence is the potential loss of heat sink during a short time – few hours during an exceptional tide.
Screened in
Screened out Very low frequency and limited impact for coastal sites.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 72 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Lightning
ME 15
Event Description
The event is defined as plant damage due to lightning. The impact may be direct, causing structural damage or LOSP events, or indirect through the electromagnetic field or fire started by lightning. Lightning is defined as a sudden, large electrical discharge between a thundercloud and the ground or any protruding element anchored in the ground (trees, pylons, buildings etc.). Lightning occurs if the electrical potential difference between the upper and lower parts of a cloud becomes too strong. The first discharges occur within the cloud, but later they will also occur between clouds or between the cloud and the ground. Ground lightning may have positive or negative polarity, and the discharge may occur downwards (cloud to ground) or upwards (ground to cloud). Most lightning has a negative charge. During summertime, positive discharges are 5% and during wintertime 50% of all discharges. The electric current occurring in lightning joining cloud to ground can peak at values between 2 kA and several hundred kA (median value 30 kA) with a typical rise time of about 1 ms.
The four main parameters of a lightning strike are:
1. Peak current, mainly determines the increase of potential: may lead to flashovers (formation of sparks), and also to transmission of the lightning between objects. It also controls magnetisation effects.
2. Maximum rate of current rise, determines the induced voltage in loops (power cabling, measurement and control cabling, electronic systems).
3. Square current impulse, mainly determines thermal effects
4. Charge, determines the melting of metal surfaces struck by the lightning.
The first two are the most important ones for NPPs. This is due to the many extensive and interconnected cabling and piping systems inside and outside buildings, which provide progression routes for the effects from a lightning strike if protective measures are not adequately designed and implemented.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 73 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Lightning
ME 15
Event information (MetOffice)
No specific data needed.
Design information
EPR is designed to withstand a maximal current peak of 200k A. (see Chapter 13).
The provisions for external and internal lightning protection reduce the electrical and electromagnetic loads caused by external or internal Electro magnetic impulse (EMI) to a level which is acceptable for the I&C.
To obtain sufficient shielding against lightning striking a building, each building is constructed as a closed meshed Faraday cage. This is achieved for instance by a continuous standard reinforcement system with at least two layers around the entire building (foundation slab, outer walls, and roof). To form an effective shielding against high-frequency disturbances (fast pulses) the outer building walls are additionally equipped with closed metal facades.
The internal lightning protection concept is based on direct and short connection of all casings of I&C equipment (sensors, junction boxes, cubicles) and cable shields to the inner earthing system. Electrical equipment includes protection against surges resulting from lightning strikes on electrical transmission lines.
Strong currents caused by lightning strikes are dispersed into many small partial currents to reduce the induced voltages to acceptable levels. Depending on the construction type of the building suitable measures are defined for each building, which will meet the requirements.
Metal equipment outside buildings (e.g. on the roof) are protected by an isolated external lightning protection system. All cables connected to this equipment are connected to surge-protective devices, which are installed directly at the entrance into the building.
Shielding together with the lightning protection system will protect a building from the disturbances caused by direct or nearby, indirect lightning strikes. In case of direct lightning strike to the building, currents inside the shield (the lightning current itself or induced compensation currents) shall be dispersed into many partial currents to reduce the induced voltages to acceptable levels.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 74 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Lightning
ME 15
Event consequence
The major conclusion in NUREG 1407 [Ref-2] is that the primary impact of lightning on NPPs is LOOP, which is included in LOOP events in the level 1 PSA (see section 5.7 of Sub-chapter 15.1). Another consequence is spurious scram (see section 5.8 of Sub-chapter 15.1). It also concludes that, in general, other effects of lightning on NPPs are insignificant. Further examination of lightning effects may be warranted for certain sites where, based on past operating experience, lightning strikes are likely to cause more than just LOOP, e.g. affect safety related instrumentation and control systems.
The frequency of lightning exceeding the design value of 200kA is estimated as 1E-05/y in NUREG 1407 [Ref-2].
Screened in
Screened out
A number of techniques are used for internal and external lightning protection. Considered in combination with the very low frequency of beyond- design lightning, the plant is judged to be sufficiently protected against lightning.
The LOOP events caused by a potential lightning exceeding the design value is assumed to be 1E-05/y which is insignificant compared to the LOOP events (6E-02/y for short LOOP; 1E-03/y for long LOOP) analysed in the level 1 PSA (see section 5.7 of Sub-chapter 15.1).
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 75 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
MAN-MADE EVENTS
Fire on-site and off-site
MME 01
Event Description
The event groups fire in the site zone but not in the buildings. Internal fire is evaluated separately in the internal hazards analysis.
Event information
See Chapter 2 where it is stated that the land use around the plant (on-site and off-site) is such that an external fire cannot propagate towards the plant.
Design information
No specific data needed.
Event consequence
The event consequence can be triggering of a fire in the plant buildings and difficult access to the plant.
Screened in
Screened out Screened out on the basis of extremely low probability – see comment above in “Event Information”
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 76 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Explosion on-site and off-site
MME 02
Event Description
The event covers damage to the plant due to explosions (deflagration or detonation) of solid substances or gas clouds outside the site. The damage may be due to pressure impact or impact from missiles. The origin of these events is in process industries in plant vicinity, or from transportation routes (road and sea), or from pipeline.
Event information
See Chapter 2 where it is stated that the generic UK site is characterised by a negligible frequency (< 1E-05/y) of nearby explosions which would generate damages to the plant leading to greater releases than those caused by an incident triangular pressure wave reaching a maximum of 10 kPa and having a duration of 300 ms.
Design information
The design takes into consideration the external explosion risk based on Technical Guideline F.2.2.3.
Plant design in relation to the external explosion risk uses a loading case which is referred to as an Explosion Compression Wave. It is included in the design of the following buildings:
Security Sensitive material removed from this version of the report.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 77 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Explosion off-site and on-site
The standard loading case which is representative of the incident wave, used for design, is a Security Sensitive material removed from this version of the report .. It represents a detonation wave. The detonation is expected to occur at the accident location, i.e. at a transport route or a fixed industrial installation. The benchmark wave is expected to arrive in a horizontal direction.
Security Sensitive material removed from this version of the report.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 78 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Explosion off-site and on-site
Event consequence
The impact on the plant is a potential loss of building(s) and the safety functions associated. It depends on the explosion intensity and on site layout.
Screened in
Screened out Very low frequency (< 1E-05/y).
Chemical release off-site or on-site
MME 03
Event description
The event includes chemical releases from industrial plants, pipelines or from transportation routes (road and sea) in the vicinity of the plant (off- and on-site).
Event information
See Chapter 2 which gives the generic UK site characteristics in terms of chemical release risk around the plant:
The probability of road or maritime accidents which would threaten the plant safety by the chemical release drift is far lower than 1E-05/y.
Design information
The design provisions against this hazards concern the plant personnel protection and especially the control room habitability and access.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 79 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Chemical release off-site or on-site
MME 03
Event consequence
The event cannot usually damage the plant as such, but may be a threat to plant personnel. Some substances may affect electrical systems by forming by coating.
(Chemical releases which may cause explosions are not included here - see the on-site and off-site explosion hazard.)
Screened in
Screened out Very low frequency (<1E-05/y).
Electromagnetic interference
MME 06
Event description
The event is defined as impact on the plant from Electromagnetic interference.
Event information
See Chapter 2.
Design information
See Chapter 2.
Event consequence
See Chapter 2.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 80 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Screened in
Screened out Screened out because of frequency of occurrence of such a hazard is zero (see Chapter 2).
Accidental
Aircraft Crash
MME 07
Event description
The event includes damage to plant structures due to an aircraft crash within the site area. The aircraft may be either commercial, private or military.
Event information
See Chapter 2 where the generic frequencies of aircraft crash in the UK are provided.
Design information
The following buildings are protected against aircraft crashes (fully hardened):
• Fuel Building
• Reactor Building
• 2 & 3 Safeguard Building
No impact is assumed on those buildings in case of aircraft crash.
The following buildings are not fully protected against aircraft crashes:
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 81 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Accidental
Aircraft Crash
MME 07
• 1 - 4 Emergency Diesel Generator Buildings / Separation
• 1 & 4 Safeguard Building
• Nuclear Auxiliary Building (not protected)
• Effluent Treatment Building (not protected)
• Circulating Water Pump House
Event consequence
The consequences of an aircraft crash depend on the buildings impacted.
Screened in A probabilistic analysis should be performed to estimate the frequency of core damage due to accidental aircraft crash on buildings that can be impacted.
Screened out
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 82 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Missiles
MME 08
Event description
The event includes damage from missiles generated at another plant on the site.
Event information
See Chapter 2 which states that this risk could be avoided on the generic UK site by a suitable site arrangement.
Design information
See qualitative analysis in sub-section 1.2 of this sub-chapter.
Event consequence
Not needed.
The evaluation of the potential consequences could be strongly site-dependent.
Screened in
Screened out For a specific site the plant layout will be defined in order to minimise any risk associated to missiles from other buildings/equipments on the site.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 83 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
External Hazards SCREENING analyses
Direct impact from heavy transportation
within site.
MME 09 Event description
The event is defined as damage to the plant from direct impact from heavy transportation within site. This also includes the containment external maintenance platform. There is no event defined for impact from light transportation within the site, as minor direct impact is assumed to be within plant design.
Temporary heavy transports occur at exchange of heavy components, up to some hundred tonnes. These transports occur seldom. Recurring transports include the fuel transports to the diesels (< 100 tonnes), which occur a number of times per year.
Event information
No specific data needed.
Design information
All safety critical buildings/structures have structural protection to cope with airplane crash and explosion pressure wave. The protection will be effective also against direct impact from heavy transportation.
Temporary heavy transports for exchange of heavy components are assumed to be adequately planned, and are judged not to pose any risks to the structure. Fuel transports to the diesels generators (< 100 tonnes) occur a number of times per year, and are performed at moderate speeds. Both types of transports are judged not pose a threat to any buildings or tanks due to wall thickness and collision barriers.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 84 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
External Hazards SCREENING analyses
Direct impact from heavy transportation
within site.
MME 09 Event consequence
No impact on the plant buildings assuring safety functions is expected.
The risk of radioactive releases could be considered for less protected buildings which contain radioactive materials, the Effluent Treatment Building for instance. In practise the release which might be the consequence of direct impact of heavy transportation would be very limited (see for example the dose to the public evaluated for the leak in the gaseous waste processing system, < 0.1mSv)
Screened in
Screened out No impact on safety functions (no core damage). Very low impact on radioactive releases.
Solid or fluid impurities from ship
release
MME 10 Event description
The event is defined as impact due to solid or liquid impurities released into the water from a ship. Only the impact from large releases of oil are judged to be significant and representative for this external event.
Event information
See Chapter 2 where it is stated that the frequency of occurrence is far less than the one of water intake clogging by marine organism which is set to 1 per year.
Design information
Not needed.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 85 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
External Hazards SCREENING analyses
Solid or fluid impurities from ship
release
Event consequence
The main consequence is the clogging of filters that could lead to the loss of the ultimate heat sink.
Screened in It is considered to be included in the LUHS analysis with a frequency largely covered by the frequency of clogging by marine organisms (1 per year).
Screened out
Direct impact from ship collision
MME 11 Event description
The event is defined as direct impact from a ship collision. The event does not cover consequences from releases in connection with a ship accident (explosion, pollution, intake clogging or release of toxic gases), as these events are handled separately.
Event information
See Chapter 2 where this event is defined with a frequency of occurrence extremely low for the generic UK site (<< 1E-05/y).
Design information
No specific data needed.
Event consequence
Not needed.
Screened in
Screened out Extremely low probability.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 86 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
External Hazards SCREENING analyses
GEOLOGICAL AND SEISMOTECTONIC EVENTS
Earthquakes
GS 01 Event description
The event is defined as impact due to earthquake.
Event information
See Sub-chapter 15.6
Design information
See Sub-chapter 15.6
Event consequence
See Sub-chapter 15.6
Screened in See Sub-chapter 15.6
Screened out
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 87 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
External Hazards SCREENING analyses
Land rise and other geological phenomena
GS 01 Event description
The site will be chosen in order to avoid risks related to ground movements, groundwater etc. The consequences of such events would then not be considered in the analysis as their frequencies of occurrence will be negligible.
For the site licensing a specific study will be carried out to justify this statement.
Event information
Design information
Event consequence
Screened in
Screened out See event description here above.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 88 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
BIOLOGICAL EVENTS
Animals infestation
B 01 Event description
The event is defined as impact on the plant from animals.
Event information
See Chapter 2 where it is stated that the risks associated with animal infestation is not taken into account in the framework of the GDA.
Design information
The plant is protected against larger animals by fences. It is assumed that the plant is not vulnerable to impact from smaller animals, e.g. rodents.
Event consequence
Not needed in the current analysis.
Screened in
Screened out Excluded from the GDA.
B 02 Event description
The event is defined as plant impact due to organic material in intake water. The material may be algae, seaweed, fish, mussels, jellyfish, etc.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 89 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
Organic material in water
Event information
Rapid and uniform water temperature increases, long sunny weather periods and changes of seawater level favour the growth and unfastening/drifting of algae. See Chapter 2 where a frequency of 1 per year is stated for the water intake clogging due to massive arrival of marine organisms. This very conservative frequency covers multiple other causes of LUHS including frazil ice.
Design information
See Chapter 9.
Event consequence
The main potential consequence is the Loss of Ultimate Heat Sink (LUHS).
Screened in The risk of organic material in water leading to the Loss of Ultimate Heat Sink is analysed.
Screened out
FLOODING
F 01 Event description
The event is defined as plant impact due to high water temperature.
Event information
Not needed.
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 90 / 94
Document ID.No. UKEPR-0002-152 Issue 05
UNCLASSIFIED
EXTERNAL HAZARDS SCREENING ANALYSES
External flooding Design information
The platform level and the design of the volumetric protection are strongly site-dependent. The design requirements and criteria are such that the frequency for the water level to exceed the platform height is very low (<1E-05/y).
Event consequence
Not needed in the current analysis.
Screened in
Screened out Very low frequency (<1E-05/y).
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 91 / 94
Document ID.No. UKEPR-0002-152 Issue 05
: UNCLASSIFIED
SUB-CHAPTER 15.2 – REFERENCES
External references are identified within this sub-chapter by the text [Ref-1], [Ref-2], etc at the appropriate point within the sub-chapter. These references are listed here under the heading of the section or sub-section in which they are quoted.
1. INTERNAL HAZARDS
1.3. DROPPED LOADS
1.3.1. Design and classification of handling devices
[Ref-1] “A Survey of Crane Operating Experience at U.S. Nuclear Power Plants from 1968 through 2002”. NUREG-1774. July 2003. (E)
[Ref-2] Reactor Consequences Assessment of a RPV Closure Head Accidental Drop during Lifting Operation. Topical Report No. 98. NFPMR DC 1048 Revision B FIN. AREVA. (E)
[Ref-3] Probabilistic Safety Assessments of Nuclear Power Plants (Level 1). Safety Series No. 50-P-4. IAEA. (E)
[Ref-4] European Utility Requirements for LWR Nuclear Power Plants, Volume 2: Generic Nuclear Island Requirements, Chapter 17: PSA Methodology, Revision C. (E)
[Ref-5] PRA Procedures Guide. A Guide to the performance of probabilistic risk assessment for nuclear plants. NUREG/CR-2300. Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission. (E)
1.5. FIRE
1.5.2. Methodology of the Fire PSA
The following reference is used throughout all sub-sections of section 1.5.2:
[Ref-1] Fire PRA Methodology for Nuclear Power Facilities. NUREG/CR-6850. Electrical Power Research Institute (EPRI), Palo Alto, CA, and U.S. Nuclear Regulatory Commission, Office of Nuclear Regulatory Research (RES), Rockville. EPRI/NRC-RES. (E)
1.5.3. Mapping of internal fire events
[Ref-1] M Mosse. EPR Technical code for fire protection. ETC-F Version G. ENGSIN050312 Revision B. EDF. August 2007. (E)
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 92 / 94
Document ID.No. UKEPR-0002-152 Issue 05
: UNCLASSIFIED
[Ref-2] Fire Safety Assessment of Safety Fire Barriers- Evaluation of fire resistance using experience of comparable EPR layouts. NESP-G/2009/en/1322 Revision C. AREVA. March 2011. (E)
[Ref-3] Fire PRA Methodology for Nuclear Power Facilities. NUREG/CR-6850. Electrical Power Research Institute (EPRI), Palo Alto, CA, and U.S. Nuclear Regulatory Commission, Office of Nuclear Regulatory Research (RES), Rockville. EPRI/NRC-RES. (E)
1.5.4. Fire Analysis / Modelling
The following reference is used throughout all sub-sections of section 1.5.4:
[Ref-1] Fire PRA Methodology for Nuclear Power Facilities. NUREG/CR-6850. Electrical Power Research Institute (EPRI), Palo Alto, CA, and U.S. Nuclear Regulatory Commission, Office of Nuclear Regulatory Research (RES), Rockville. EPRI/NRC-RES. (E)
1.6. FLOODING
1.6.2. Methodology of the Flooding PSA
1.6.2.2. Evaluation of frequencies
[Ref-1] PRA Procedures Guide. A Guide to the performance of probabilistic risk assessment for nuclear plants. NUREG/CR-2300. Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission. (E)
[Ref-2] Pipe Failure Study Update. EPRI TR-102266. April 1993. (E)
[Ref-3] Component Leakage and Rupture Frequency Estimates. EG&G-SSRE-9639. Idaho National Engineering Laboratory. November 1991. (E)
1.6.3. Mapping of internal flooding events
1.6.3.1. Flooding in Safeguard Building / Fuel Building
[Ref-1] PRA Procedures Guide. A Guide to the performance of probabilistic risk assessment for nuclear plants. NUREG/CR-2300. Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission. (E)
1.6.3.2. Flooding in the Turbine Building
[Ref-1] PRA Procedures Guide. A Guide to the performance of probabilistic risk assessment for nuclear plants. NUREG/CR-2300. Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission. (E)
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 93 / 94
Document ID.No. UKEPR-0002-152 Issue 05
: UNCLASSIFIED
2. EXTERNAL HAZARDS ANALYSIS
2.1. SCREENING ANALYSIS
[Ref-1] Nuclear Power Station Generic Design Assessment - Guidance to Requesting Parties. Version 2. UK Health and Safety Executive (HSE). July 2007. (E)
[Ref-2] Treatment of External Hazards in Probabilistic Safety Assessment for Nuclear Power Plants. IAEA Safety Series 50-P-7. IAEA. (E)
[Ref-3] External Man-Induced Events in Relation to Nuclear Power Plants: A Safety Standard. IAEA Safety Series 50-SG-D5. 1996. IAEA. (E)
[Ref-4] Extreme Meteorological Events in Nuclear Power Siting, Excluding Tropical Cyclones – A Safety Guide. IAEA Safety Series 50-SG-S11A. IAEA. (E)
[Ref-5] Evaluation of External Hazards to Nuclear Power Plants in the United States. NUREG/CR-5042. Lawrence Livermore National Laboratory. NRC. December 1987. (E)
2.3. AIRCRAFT CRASH
2.3.1. Aircraft crash rate
[Ref-1] J P Byrne. The Calculation of Aircraft Crash in the UK, AEA Technology plc. HSE. Contract Research Report 150/1997. (E)
[Ref-2] PSAR Flamanville DAC. Chapter 3.3. Protection against external hazards. 2006. (E)
2.3.5. Nuclear Auxiliary Building
Event consequence
[Ref-1] EPR – Probabilistic analysis of accident sequences caused by interfacing loss of coolant accidents. EPSE DC 833 Revision F. AREVA NP. March 2006. (E)
2.5. BIOLOGICAL CLOGGING OF WATER INTAKES
Event Frequency
[Ref-1] EPR – Study of the reliability of the pumping station for the Flamanville site – Quantification of initiating events for total loss of cooling water. Technical Report ECEF051311 Revision A. EDF. (E)
UNCLASSIFIED
PRE-CONSTRUCTION SAFETY REPORT
CHAPTER 15: PROBABILISTIC SAFETY ANALYSIS
SUB-CHAPTER : 15.2
PAGE : 94 / 94
Document ID.No. UKEPR-0002-152 Issue 05
: UNCLASSIFIED
3. LOSS OF ULTIMATE HEAT SINK – LUHS
Frequency assessment
[Ref-1] EPR – Study of the reliability of the pumping station for the Flamanville site – Quantification of initiating events for total loss of cooling water. Technical Report ECEF051311 Revision A. EDF. (E)
SUB-CHAPTER 15.2 - TABLE 4
Strong winds
[Ref-1] Evaluation of External Hazards to Nuclear Power Plants in the United States. NUREG/CR-5042. Lawrence Livermore National Laboratory. NRC. December 1987. (E)
Lightning
[Ref-2] Procedural and Submittal Guidance for the Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities. NUREG-1407. NRC. June 1991. (E)